Immutable bootloader and firmware validator

ABSTRACT

Provided is a process, including: accessing, with a processor of an embedded computing device, immutable executable code stored in read-only memory of the embedded computing device; executing, with the processor of the embedded computing device, instructions of the immutable executable code that retrieve, from the read-only memory, a network-layer address of a tamper-evident, immutable data repository and an application-layer address of firmware of the embedded computing device stored in the tamper-evident, immutable data repository; executing, with the processor of the embedded computing device, instructions of the immutable executable code that, using the network-layer address and the application-layer address, download the firmware of the embedded computing device from the tamper-evident, immutable data repository; and executing, with the processor of the embedded computing device, instructions of the immutable executable code that store the downloaded firmware in re-writeable memory of the embedded computing device.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present patent is a continuation of U.S. patent application Ser. No.16/516,152, titled IMMUTABLE BOOTLOADER AND FIRMWARE VALIDATOR, filed 18Jul. 2019, which claims the benefit of U.S. Provisional PatentApplication 62/699,884, having the same title, filed 18 Jul. 2018, andis a continuation-in-part of U.S. patent application Ser. No.16/267,290, titled FRAGMENTING DATA FOR THE PURPOSES OF PERSISTENTSTORAGE ACROSS MULTIPLE IMMUTABLE DATA STRUCTURES, filed 4 Feb. 2019,now issued as U.S. Pat. No. 10,970,413, which is a continuation of U.S.patent application Ser. No. 15/845,436, having the same title, filed 18Dec. 2017, now issued as U.S. Pat. No. 10,242,219, which is acontinuation of U.S. patent application Ser. No. 15/675,490, having thesame title, filed 11 Aug. 2017, now issued as U.S. Pat. No. 9,881,176,which claims the benefit of U.S. Provisional Patent Application62/374,278, having the same title, filed 12 Aug. 2016. The entirecontent of each aforementioned patent filing is hereby incorporated byreference.

BACKGROUND 1. Field

The present disclosure relates generally to cybersecurity and, more,specifically to immutable, or otherwise tamper-evident, bootloaders andfirmware validators.

2. Description of the Related Art

Computing devices, such as personal computers, mobile devices, embeddeddevices, servers, and the like, are often vulnerable to maliciousmanipulation of code that runs outside of, or as part of launching, orwithout the presence of, an operating system (OS). Traditionalanti-malware techniques, run as applications in an OS, generally do notaddress or have access to code operating at this level, e.g., firmware,microcode, UEFI code, BIOS code, boot loaders, and the like. Attackerswith access to this code can often gain control of a computing device ina manner that cannot be easily detected or defeated, e.g., byre-installing an OS. Furthermore, many embedded computing devices lackcomputing resources to perform computationally expensive monitoring ordetecting of attacks.

One approach used in some cases is signing of code, e.g., bycryptographically signing a cryptographic hash digest of the code with aprivate key corresponding to a public key to which security software ofthe computing device has access. However, in many cases, devices aredeployed without this infrastructure due to resource constraints, orprivate keys can be compromised, defeating the mechanism for aninstalled base.

One approach is to store trusted versions of code in remote datastores.But in many cases, the security and integrity of the data in thedatastore cannot be trusted. Often, an attacker who has penetrated acomputer network will modify or exfiltrate records in a datastore thatare intended to be confidential. Further, in many cases, the attackermay be a credentialed entity within a network, such a as a rogueemployee, making many traditional approaches to datastore securityinadequate in some cases. Aggravating the risk, in many cases, such anattacker may attempt to mask their activity in a network by deletingaccess logs stored in datastores.

SUMMARY

The following is a non-exhaustive listing of some aspects of the presenttechniques. These and other aspects are described in the followingdisclosure.

Some aspects include a process including: accessing, with a processor ofan embedded computing device, immutable executable code stored inread-only memory of the embedded computing device; executing, with theprocessor of the embedded computing device, instructions of theimmutable executable code that retrieve, from the read-only memory, anetwork-layer address of a tamper-evident, immutable data repository andan application-layer address of firmware of the embedded computingdevice stored in the tamper-evident, immutable data repository;executing, with the processor of the embedded computing device,instructions of the immutable executable code that, using thenetwork-layer address and the application-layer address, download thefirmware of the embedded computing device from the tamper-evident,immutable data repository; executing, with the processor of the embeddedcomputing device, instructions of the immutable executable code thatstore the downloaded firmware in re-writeable memory of the embeddedcomputing device; and executing, with the processor of the embeddedcomputing device, instructions of the immutable executable code thatcause an instruction address register of the processor or anotherprocessor of the embedded computing device to point to a first addressof the firmware in the re-writeable memory of the embedded computingdevice to initiate execution of the firmware by the processor or anotherprocessor of the embedded computing device.

Some aspects include a process including: receiving a request to executewith a computing device, or install on the computing device, anuntrusted instance of sub-operating-system (OS)-level executable codestored in re-writeable memory of the computing device; and in responseto the request, verifying that the untrusted instance of thesub-OS-level code has not been subject to tampering by executing, withthe computing device, instructions stored in read-only memory of thecomputing device to: calculate a first hash digest of the untrustedinstance of the sub-OS-level executable code stored in the re-writeablememory of the computing device; obtain, from a distributed acyclic graphof cryptographic hash pointers stored external to the computing device,a second hash digest of a trusted instance of the sub-OS-level code;determine whether the first hash digest matches the second hash digestand, in response to the determination, determine whether to execute orto install the untrusted instance of the sub-OS-level code or blockexecution or installation of the untrusted instance of the sub-OS-levelcode; and storing a result of the determination of whether to execute orto install the untrusted instance of the sub-OS-level code in memory.

Some aspects include a tangible, non-transitory, machine-readable mediumstoring instructions that when executed by a data processing apparatuscause the data processing apparatus to perform operations including theabove-mentioned process.

Some aspects include a system, including: one or more processors; andmemory storing instructions that when executed by the processors causethe processors to effectuate operations of the above-mentioned process.

BRIEF DESCRIPTION OF THE DRAWINGS

The above-mentioned aspects and other aspects of the present techniqueswill be better understood when the present application is read in viewof the following figures in which like numbers indicate similar oridentical elements:

FIG. 1A is a logical and physical architecture block diagram that showsan example of an embedded computing device having sub-OS-level codesecured by records in a tamper-evident, immutable data repository inaccordance with some embodiments;

FIG. 1B is a flowchart of a process to load executable code to theembedded computing device of FIG. 1A retrieved from the tamper-evident,immutable data repository in accordance with some embodiments;

FIG. 1C is a flowchart of a process to verify executable code stored onthe embedded computing device of FIG. 1A based on a cryptographic hashdigest retrieved from the tamper-evident, immutable data repository inaccordance with some embodiments;

FIG. 1D is a logical and physical architecture block diagram that showsan example of a computing environment in which the tamper-evident,immutable data repository may be implemented in accordance with someembodiments;

FIG. 2 is a flow chart that shows an example of a process to read andwrite executable code, hash digests thereof, or other documents to atamper-evident, immutable data repository in accordance with someembodiments;

FIG. 3 is a data model block diagram that shows an example of atamper-evident, immutable data repository that may be operated upon bythe process of FIG. 2 in accordance with some embodiments;

FIG. 4 is a flow chart that shows an example of a process by whichstored values may be fragmented and stored among a plurality ofdifferent tamper-evident, immutable directed acyclic graphs, such asthose shown in FIG. 3 , in accordance with some embodiments;

FIG. 5 is a data model block diagram that shows an example of atamper-evident, immutable data repository storing fragments of datadistributed among multiple directed acyclic graphs that may be operatedupon by the processes of FIGS. 4 and 6 in accordance with someembodiments;

FIG. 6 is a flow chart that shows an example of a process by which datamay be read from the data structure of FIG. 5 in accordance with someembodiments;

FIG. 7 is a flow chart that shows an example of a process by whichcryptographic hash pointers in tamper-evident data repositories may beformed to render the data repositories modular in accordance with someembodiments;

FIG. 8 is a flow chart that shows an example of a process by whichexisting workload applications and user interfaces may be retrofit tosecurely store and access relatively high-security data in a transparentfashion in accordance with some embodiments;

FIG. 9 is a flow chart that shows an example of a process by whichaccess requests to scattered data may be logged to a tamper-evident,immutable data repository in accordance with some embodiments;

FIG. 10 is a flow chart that shows an example of a process by which datain tamper-evident, immutable data repositories may be compressed bystoring differences between versions of documents or other units ofcontent in accordance with some embodiments;

FIG. 11 is a flow chart that shows an example of a process by whichversion graphs storing sequences of changes between versions ofdocuments may be traversed to read current versions of documents inaccordance with some embodiments;

FIG. 12 is a data model block diagram that shows an example of a datastructure by which a version graph may be stored as a sequence ofcontent graphs on a collection of verification graphs or othertamper-evident, immutable data repositories in accordance with someembodiments; and

FIG. 13 is a physical architecture block diagram that shows an exampleof a computing device by which the above techniques may be implemented.

While the present techniques are susceptible to various modificationsand alternative forms, specific embodiments thereof are shown by way ofexample in the drawings and will herein be described in detail. Thedrawings may not be to scale. It should be understood, however, that thedrawings and detailed description thereto are not intended to limit thepresent techniques to the particular form disclosed, but to thecontrary, the intention is to cover all modifications, equivalents, andalternatives falling within the spirit and scope of the presenttechniques as defined by the appended claims.

DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS

To mitigate the problems described herein, the inventors had to bothinvent solutions and, in some cases just as importantly, recognizeproblems overlooked (or not yet foreseen) by others in the field ofcybersecurity. Indeed, the inventors wish to emphasize the difficulty ofrecognizing those problems that are nascent and will become much moreapparent in the future should trends in industry continue as theinventors expect. Further, because multiple problems are addressed, itshould be understood that some embodiments are problem-specific, and notall embodiments address every problem with traditional systems describedherein or provide every benefit described herein. That said,improvements that solve various permutations of these problems aredescribed below.

A variety of problems relating to security of datastores and networks ofcomputers used by organizations are addressed by various versions oftechniques described below. These different techniques can be usedtogether, synergistically in some cases, so their descriptions aregrouped into a single description that will be filed in multiple patentapplications with different claim sets targeting the differenttechniques and combinations thereof. In view of this approach, it shouldbe emphasized that the techniques are also independently useful and maybe deployed in isolation from one another or in any permutationcombining the different subsets of techniques, none of which to suggestthat any other description herein is limiting. Conceptually relatedgroups of these techniques are preceded by headings below. Theseheadings should not be read as suggesting that the subject matterunderneath different headings may not be combined, that every embodimentdescribed under the heading has all of the features of the heading, orthat every feature under a given heading must be present in anembodiment consistent with the corresponding conceptually related groupof techniques, again which is not to suggest that any other descriptionis limiting.

Immutable Bootloader and Firmware Validator

The ability to ensure one's embedded device is booting legitimatefirmware is something of nightmare for embedded developers.Internet-of-things (IoT) manufactures can ensure this will not be anissue by shipping devices with Read-Only-Memory (ROM), but this preventsupdates to the devices. The need to update has led to the proliferationof such code being stored in electrically erasable programmableread-only memory (EEPROM), which introduces a new threat vector for theIoT developers, as the code can now be re-written by a threat actor.Ensuring that each load of the firmware is genuine will become a majorfocus of cybersecurity professionals.

Rogue firmware flashed to embedded systems has caused the creation oflarge botnets and has the potential to cause harm when this firmwarecontrols locks and doors. By allowing updates to firmware, there becomesa need to ensure the integrity of the firmware before booting. Similarissues arise in the context of other types of executable code runexternal to an operating system, like microcode, UEFI code, BIOS code,boot loaders, and the like.

Some embodiments store and retrieve for installation and execution oncomputing devices (such as embedded devices) trusted copies of firmwareand other sub-OS-level code in the trusted repository described below.Some embodiments offload the code to a blockchain or a series ofblockchains with fragmented data stored across a network of blockchains,and thereby store a firmware image (or hash digest thereof). This imagecan be various sizes and can represent a variety of types of firmware(or other types of sub-OS-level code noted above), as complexityrelating to the storage and validation of the data may be shielded fromthe computing device on which protected code is to execute.

Utilizing a read only memory section on the main CPU or using a separateROM and boot loader chip, some embodiments may ensure the integrity ofthe firmware about to be loaded. This may be done by calculating aSHA256 or similar hash (examples being noted below) of the currentfirmware (or other code) stored in the computing device and comparingthis hash against an entry in the blockchain or network of blockchains,e.g., with a smart contract executed on a blockchain network, or bydownloading a hash digest from the blockchain to the computing devicethat performs the comparison. If the hash matches, then the integrity ofthe firmware is confirmed and the device can load the firmware and boot.If the hashes do not match, this separate ROM and boot chip (e.g.,distinct from a processor running the code that is protected, e.g., as aphysically separate ASIC or a logical block of IP isolated from otherblocks of a SOC by a relatively narrow interface, such as an interfacelimited to communication by interrupt) may stream from the blockchain ornetwork of blockchains the correct firmware image, write it to theEEPROM or similar instruction store, then either boot directly from thenew image, or cause a power reset, and run through the process again.Alternatively, some embodiments may boot from the blockchain or networkof blockchains without checking the integrity first, e.g., streaming tolocal memory a copy of the current trusted version of the code at boot.

In some embodiments, the separate ROM may be protected with physicaltamper prevention measures, e.g., that cause the chip and data storedtherein to be destroyed upon decapping, and in some cases, variousvalues may be permanently written to the ROM to facilitate theabove-described operations, e.g., hard wired in some cases, like byblowing fuses to encode information. Values stored may include an IPaddress or URL of a gateway to the blockchain data store below, one ormore public keys by which signed communications from the blockchain areverified (like of a maker of the device and a provider of theblockchain), and an identifier of the code at issue that distinguishesthat code from other code protected in a similar manner, so that theappropriate data can be retrieved from the blockchain. In some cases,the identifier is an address of a first segment of the code in the datastructure described below.

In some cases, the ROM may be configured to verify that a version numberof code monotonically increases to impede attacks by which earlier (butunmodified) versions of code subject to vulnerabilities are installed.In some embodiments, the ROM may be configured to blow a fuse with eachnew version and reject earlier versions by determining that theirversion number does not correspond to (e.g. is less than) a number offuses blown. In some embodiments, each blown fuse may map to a differentpre-determined address in the blockchain based data store describedbelow at which new trusted versions of code are to be stored.

A variety of tools may be utilized by some embodiments to check a hashof a firmware image against a blockchain, like Guardtime, but thisapproach does not, standing alone, provide an immutable location toretrieve an image if it is deemed to be corrupted or malformed. Batteryand network constraints, in some use cases, with the approach of loadingfrom the blockchain may favor on-chip storage rather than booting fromthe blockchain, and battery optimization may drive similar choices.Storing firmware images on traditional data-stores and comparing hashesis also a technique that can be used in replacement of this system, butdoes not provide the trust features of the trusted data repositorystored below. In some cases, the network of blockchains mentioned abovecan be owned and operated by a number of related parties.

FIGS. 1A through 1C illustrate examples of implementations of the abovetechniques and related techniques. As shown in FIG. 1A, some embodimentsmay be implemented on a host system 400 having one or more embeddedcomputing devices 402, a central processing unit 404, and memory 406.The host system 400 may be in communication with a tamper-evident,immutable data repository 408, like those described below with referenceto FIGS. 1D through 12 , for example, via the Internet or various othernetworks. In some embodiments, the tamper-evident, immutable datarepository 408 may store various versions of executable code 410 to beexecuted by the embedded computing devices 402 or the CPU 404, and thoseversions of code 410 may be stored and processed in the same manner asthe documents described below in some embodiments, or with some subsetof the operations described with reference to the documents describedbelow when discussing FIGS. 1D through 12 . For instance, versions maybe stored as “cliffs” in a version graph or as unconnected documents.

In some embodiments, the host system includes several embedded computingdevices 402, and in some cases, an embedded computing device may itselfbe a host system for other embedded computing devices embedded therein.Those systems may take a variety of forms. Examples include desktopcomputers, laptop computers, servers, mobile phones, tablet computers,head-mounted displays (e.g., AR or VR displays), wrist worn computers(e.g., smart watches), wireless access points, routers, switches, andthe like. Other examples include Internet of things appliances, likesmart speakers, smart lightbulbs, smart refrigerators, smarttelevisions, smart washers and dryers, smart locks, smart garage dooropeners, smart thermostats, set-top media streaming boxes, and otherhome appliances with a processor, memory, and a network interface.Examples further include industrial equipment, like robots on amanufacturing line, industrial process controls and chemicalmanufacturing plants, industrial process controls in semiconductormanufacturing plants, heating ventilation and air conditioning equipmentin manufacturing plants, and the like. In some embodiments, the hostsystem is an embedded device, or in some embodiments, the host systemmerely includes embedded devices.

Three embedded computing devices 402 are shown, but some host systemsmay include more or fewer, like more than 5, or more than 10. In manycases, the embedded system or other embedded device is distinct from acentral processing unit 404 of the host system. Often, the embeddeddevice may run outside of an operating system of the host system, havinga different processor, memory address bus, and memory address space.Examples of embedded devices include network interface cards, hard drivecontrollers, solid-state drive controllers, baseboard managementcontrollers, baseband processors, and the like. Other examples ofembedded devices include the above-described Internet of thingsappliances and sensors in controllers of the above-described industrialequipment. In some embodiments, the embedded computing devices 402communicate with the CPU 404 and the memory 406 via one or more systembuses of the host system 400, like a PCI express bus or via a directmemory access in the host memory 406 on a memory bus. In someembodiments, the CPU 404 executes a driver for each or some of theembedded computing devices 402, and the driver may be configured tocoordinate with firmware executing on the embedded devices 402, in somecases writing values to registers of the embedded systems to controloperation of the firmware or other sub-OS-level code that controls theoperation of the embedded device. In some embodiments, the embeddeddevice may communicate via the CPU 404 by writing to an interruptregister of the CPU 404 and, in doing so, may cause the CPU 404 to ceaseexecuting a current program, perform a context shift, and insteadexecute a interrupt handler corresponding to the value written to theinterrupt register before returning to the previously executing programat an instruction corresponding to a program counter maintained for thatprogram.

In some embodiments, the embedded computing devices 402 may include aprocessor 414 (like a microcontroller or a microprocessor), a write-oncememory 416 (like a set of fuses that are blown to permanently write abinary value incrementing a version number of executable code installedon the embedded computing device 402), an interface to the host system418 (like a PCI express bus interface, SMbus interface, or a directmemory access controller), a network interface 420 (like an ethernetcontroller or wireless network controller), re-writable persistentmemory 422 (like a EEPROM, flash memory, or the like, or someembodiments may use nonpersistent rewritable memory), and a read-onlymemory 412, which may be a form of a write-once memory that is writtenby an OEM.

In some embodiments, the read-only memory 412 may include anexecutable-code validator 424, an executable-code loader 426, andvarious constants, like a layer-seven address 428, a public key 430, anda layer-three address 432. In some embodiments, the executable-codeloader 426 may store code that, when executed by the processor 414,performs a process described below with reference to FIG. 1B, and theexecutable-code validator 424 may store code that when executed by thatprocessor 414 causes the processor 414 to perform the process of FIG. 1Cdescribed below.

In some embodiments, the processor 414 may be hard wired, for example,via an address in an address space of the read-only memory 412 hardcodedinto a mask of a mask set by which the processor 414 is manufactured orstored in write-once memory 416 by blowing fuses, to initialize aprogram counter upon initially receiving power to point to that address,thereby causing the processor 414 to always begin by executing adesignated instruction in the read-only memory 412, such as aninstruction of the validator 424 or of the loader 426. Some embodimentsmay include only the validator 424 and not the loader 426 or vice versa,which is not to suggest that any other feature described herein is notalso amenable to variation.

In some embodiments, the layer-three address 432 is an Internet protocol(IP) address of an interface to the secure distributed storage 16described below, which is one type of tamper-evident, immutable datarepository, like that shown with reference to element number 408 andFIG. 1A. In some embodiments, versions of code, or hash digests thereof,may be stored in blockchains, for example. In some embodiments, thelayer-three address is a hardcoded value that resolves to an IP addressof such a system, like a uniform resource identifier, such as a uniformresource locator, though hard coding the IP address is expected to bemore secure and less susceptible to domain name hijacking attacks. Insome embodiments, the layer-seven address 428 is a portion of an IPaddress that constrains the range of IP addresses to which the systemcommunicates to known secure points.

In some embodiments, the layer-seven address 428 indicates the locationof a record in an application-layer system, like the location of aversion of one of the codes 410 stored is a document in the systemsdescribed with reference to FIGS. 1D through 12 , or a hash digest of aversion of code 410. In some embodiments, the layer-seven address is asegment identifier of a first segment of a most recent installed versionof sub-OS-level code executable by the embedded device 402 to be loadedby loader 426 are validated by validator 424. In some embodiments, thelayer-seven address is an address in a distributed hash table of adecentralized file system, like IPFS, Swarm, or Dat. In someembodiments, the layer-seven address is a portion of such an identifier,which may be combined with a record written to the write-once memory 416to form a full address. For example, a prefix may be stored in thelayer-seven address 428 and a suffix may be incremented by blowing fuseswith each new version of code, or vice versa, thereby immutably changingthe location in the application layer data structure of repository 40 areferenced in a deterministic, otherwise immutable way with eachincrement in the version of secured code. This is expected to mitigateagainst down-versioning attacks in which an older version of code with aknown vulnerability is installed to exploit the vulnerability even aftera subsequent version of that code in which the vulnerability ismitigated is installed. Blowing fuses is expected to prevent theembedded computing device 402 from referencing an address of that olderversion.

In some embodiments, the public key 430 is a public key of acryptographic key pair of an asymmetric encryption protocol. In someembodiments, the public key 430 is a public key of an author of the codeor host of the tamper-evident, immutable data repository 480, or theremay be multiple keys for multiple entities. In some embodiments, variousentities may cryptographically sign the information sent from thetamper-evident, immutable data repository 480 to the embedded computingdevice 402, which may verify that the sent information was signed by anentity with access to the private key corresponding to public key 430before processing the sent information further, for example to installsent code or execute sent code.

In some embodiments, the techniques described to secure code of embeddedcomputing devices 402 may also be applied to code executed by thecentral processing unit 404 within the operate within an operatingsystem stored in memory 406.

In some embodiments, the processor 414 corresponds to multipleprocessors, one of which may be a dedicated verification processor thatverifies code by executing the code of the loader 426 or the validator424, and the verified code may be executed by different processor.

In some embodiments, upon being turned on, or certain functionalitybeing engaged, for instance, with a function call or procedure call, theembedded computing device 402 may attempt to execute corresponding codestored in the re-writable persistent memory 422. In some embodiments,that code may be any of the examples of the above-described sub-OS-levelcode. For example, upon receiving power, the processor 414 may call thevalidator 424, and the validator 424 may validate a copy of the codestored in the re-writable persistent memory 422 before instructing theprocessor 414 to begin executing that validated code. Or in someembodiments, the loader 426 may load and validate such code to there-writable persistent memory 422 before instructing the processor 414to execute that code.

In some embodiments, as mentioned, the loader 426 of FIG. 1A may executea process 450 shown in FIG. 1B to load sub-OS level code to there-writable persistent memory 422 for execution by the processor 414,for example, streaming firmware upon or to enable booting. In someembodiments, this may include accessing and executing immutableexecutable code stored in read-only memory, as indicated by block 452,like the code of the validator 424 in read-only memory 412 of FIG. 1A.Some embodiments may then retrieve, from the read-only memory, anetwork-layer address of a tamper-evident, immutable data repository, asindicated by block 454. In some embodiments, the address is an IPaddress or URL stored as the layer-three address 432 in FIG. 1A. Someembodiments may further retrieve, from the read-only memory, anapplication-layer address of firmware (or other sub-OS-level code)stored in the tamper-evident, immutable data repository, as indicated byblock 456. Some embodiments may then download the firmware from thetamper-evident, immutable data repository by sending anapplication-layer request to the network-layer address, the requestidentifying the application-layer address of the firmware and requestinga read operation, as indicated by block 458.

In some embodiments, the entire body of code may be downloaded beforesubsequent operations begin. Or in some embodiments, such code may bedownloaded, verified, and executed in stages. For example, a firstportion of the sub-OS-level code may be downloaded and verified with thepresent techniques, and that first portion may be executed by theprocessor 414 before subsequent other portions of the sub-OS-level codeare downloaded from the tamper-evident, immutable data repository (orother data sources referenced by the downloaded code). In someembodiments, the first portion of the sub-OS-level code may include aloader or a validator like loader 426 or validator 424 or other recordslike those in the read-only memory 412 that are used in the same orsimilar fashion to then verify a second portion of the sub-OS-levelcode.

In some embodiments, code may be downloaded via the network interface420, or in some cases, a network interface of the host system may beaccessed to download the code from the tamper-evident, immutable datarepository, for example, by operation of a baseboard managementcontroller or at the direct instruction of processor 414.

Some embodiments may store the downloaded firmware (or othersub-OS-level code) in re-writable memory of the embedded computingdevice, as indicated by 460. Next, some embodiments may cause a programcounter or other instruction address register of the processor oranother processor of the embedded computing device to point to a firstaddress of the firmware in the rewritable memory to initiate executionof the firmware (or other sub-OS-level code), as indicated by block 462.

Some embodiments may perform further verification steps beforeinitiating execution of the firmware, for example, verifying thatdownloaded code was cryptographically signed by an entity with access toa private key corresponding to public key 430, blocking execution in theevent that the signature is flawed, and permitting execution if thesignature is verified. Some embodiments may further verify that thedownloaded code has not been subject to tampering, for example, with thetechniques described below with reference to FIGS. 1D through 12 bywhich cryptographic hash pointers in a directed acyclic graph areevaluated to determine whether the hash values therein are internallyconsistent given the received code. In some embodiments, theseverification operations may be performed by the processor 414 or some orall of these operations may be performed by another processor anotherdevice. For example, an entity operating the tamper-evident, immutabledata repository 408 may verify the absence of tampering and thencryptographically sign the sent code responsive to verification. And thecryptographic signature may be verified with reference to the public key432 confirming that the sent code was sent by an entity with access tothe corresponding private cryptographic key.

Some embodiments may validate code already stored in the re-writablepersistent memory 422 with the process 480 shown in figure C, which maybe encoded as instructions of the executable-code validator 424described above with reference to FIG. 1A. In some embodiments, thisprocess may include receiving a request to execute with a computingdevice, or install on the computing device, and untrusted instance ofsub-OS-level executable code stored in rewritable memory of thecomputing device, as indicated by block 482. Some embodiments may thencalculate a first hash digest, for instance, with one of thebelow-described cryptographic hash functions, of the untrusted instanceof the sub-OS-level executable code, as indicated by block 484. Someembodiments may then obtain, from a distributed acyclic graph ofcryptographic hash pointers stored external to the computing device, asecond hash digest of a trusted instance of the sub-OS-level code, asindicated by block 486. In some embodiments, this may be performed byretrieving a copy of the trusted instance of the sub-OS-level code withtechniques like those described above with reference to FIG. 1B fromsuch a graph and calculating a hash digest of the retrieved copy, orsome embodiments may directly read a hash digest of the trusted instancestored in the tamper-evident, immutable data repository 408.

Some embodiments may then determine whether the first hash value matches(for example, is identical to) the second hash value, as indicated byblock 488. Upon determining that the values match, some embodiments mayexecute or install the untrusted instance of the sub-OS-level code, asindicated by block 490.

The term “trust” herein does not require any particular state of mind,but rather refers to the classification of various bodies of code todistinguish bodies of code that have not undergone verification frombodies of code that have or are from a known-safe-source. The term doesnot require any subjective assessment.

Alternatively, upon determining that the hash values do not match, someembodiments may block execution or installation of the untrustedinstance of the sub-OS-level code, as indicated by block 492. Someembodiments may then download a trusted instance of the sub-OS-levelcode from the distributed acyclic graph of cryptographic hash pointersor another such graph or source, as indicated by block 494. In someembodiments, downloading may involve the operations described above withreference to FIG. 1B. Some embodiments may verify a cryptographicsignature of the downloaded trusted instance of the sub-OS-level code,as indicated by block 496, and upon verification proceed execution, asindicated by block 490.

Tamper-Evident Data Stores

In some embodiments, the above-mentioned tamper-evident data stores maybe implemented with the system described below with reference to FIGS.1D-13 . These techniques are best understood in view of an examplecomputing environment 10 shown in FIG. 1D. The computing environment 10is one example of many computing architectures in which the presenttechniques may be implemented. In some embodiments, the presenttechniques are implemented as a multi-tenant distributed application inwhich some computing hardware is shared by multiple tenants that accessresources on the computing hardware in computing devices controlled bythose tenants, for example, on various local area networks operated bythe tenants. Or in some cases, a single tenant may execute each of theillustrated computational entities on privately-controlled hardware,with multiple instances of the computing environment 10 existing fordifferent organizations. Or some embodiments may implement a hybridapproach in which multi-tenant computing resources (e.g., computers,virtual machines, containers, microkernels, or the like) are combinedwith on-premises computing resources or private cloud resources. In someembodiments, the computing environment 10 may include and extend uponthe security features of a computing environment described in U.S.patent application Ser. No. 15/171,347, titled COMPUTER SECURITY ANDUSAGE-ANALYSIS SYSTEM (docket no. 043788-0447379), filed 2 Jun. 2016,the contents of which are hereby incorporated by reference.

In some embodiments, the computing environment 10 includes a pluralityof client computing devices 12, a lower-trust database 14, securedistributed storage 16, a domain name service 18, and a translatorserver 20 (or elastically scalable collection of instances of translatorservers disposed behind a load balancer). In some embodiments, each ofthese components may communicate with one another via the Internet 22and various local area networks in some cases. In some embodiments,communication may be via virtual private networks overlaid on top of thepublic Internet. In some embodiments, the illustrated components may begeographically distributed, for example, more than 1 kilometer apart,more than 100 kilometers apart, more than a thousand kilometers apart,or further, for example distributed over the content event of NorthAmerica, or the world. Or in some cases, the components may beco-located and hosted within a airgapped or non-airgapped privatenetwork. In some embodiments, each of the illustrated blocks thatconnects to the Internet 22 may be implemented with one or more of thecomputing devices described below with reference to FIG. 13 .

In some embodiments, each of the client computing devices 12 may be oneof a plurality of computing devices operated by users or applications ofan entity that wishes to securely store data. For example, a givenbusiness or governmental organization may have more than 10, more than100, more than 1,000, or more than 10,000 users and applications, eachhaving associated computing devices that access data stored in thelower-trust database 14 (or a collection of such databases or othertypes of datastores) and the secure distributed storage 16. In someembodiments, multiple entities may access the system in the competingenvironment 10, for example more than five, more than 50, more than 500,or more than 5000 different entities may access shared resources withrespective client computing devices or may have their own instance ofthe computing environment 10. In some embodiments, some of the clientcomputing devices 12 are end-user devices, for example, executing aclient-side component of a distributed application that stores data inthe lower-trust database 14 and the secure distributed storage 16, orreads is such data. Client computing devices may be laptops, desktops,tablets, smartphones, or rack-mounted computing devices, like servers.In some embodiments, the client-computing devices are Internet-of-thingsappliances, like smart televisions, set-top media payers, securitycameras, smart locks, self-driving cars, autonomous drones, industrialsensors, industrial actuators (like electric motors), or in-storekiosks. In some embodiments, some of the client computing devices 12 maybe headless computing entities, such as containers, microkernels,virtual machines, or rack-mounted servers that execute a monolithicapplication or one or more services in a service-oriented application,like a micro services architecture, that stores or otherwise axis isdata in the lower-trust database 14 or the secure distributed storage16.

In some embodiments, the lower-trust database 14 and the securedistributed storage 16 may each store a portion of the data accessedwith the client computing devices 12, in some cases with pointerstherebetween stored in one or both of these datastores. In someembodiments, as described below, this data may be stored in a mannerthat abstracts away the secure distributed storage 16 from a workloadapplication through which the data is accessed (e.g., read or written).In some embodiments, data access operations may store or access data inthe lower-trust database 14 and the secure distributed storage 16 with aworkload application that is not specifically configured to access datain the secure distributed storage 16, e.g., one that is configured tooperate without regard to whether the secure distributed storage 16 ispresent, and for which the storage of data in the secure distributedstorage 16 is transparent to the workload application storing content inthe lower-trust database 14 and the secure distributed storage 16. Insome embodiments, such a workload application may be configured to, andotherwise designed to, interface only with the lower-trust database 14when storing this data, and as described below, some embodiments maywrap interfaces for the lower-trust database 14 with additional logicthat routes some of the data to the secure distributed storage 16 andretrieves that data from the secure distributed storage 16 in a mannerthat is transparent to the workload application accessing content (i.e.,data written or read by the workload application).

Content stored in the lower-trust database 14 and secure distributedstorage 16 may be created or accessed with a variety of different typesof applications, such as monolithic applications or multi-servicedistributed applications (e.g., implementing a microservicesarchitecture in which each service is hosted by one of the clientcomputing devices 12). Examples include email, word processing systems,spreadsheet applications, version control systems, customer relationshipmanagement systems, human resources computer systems, accountingsystems, enterprise resource management systems, inventory managementsystems, logistics systems, secure chat computer systems, industrialprocess controls and monitoring, trading platforms, banking systems, andthe like. Such applications that generate or access content in thedatabase 14 for purposes of serving the application's functionality arereferred to herein as “workload applications,” to distinguish thoseapplications from infrastructure code by which the present techniquesare implemented, which is not to suggest that these bodies of codecannot be integrated in some embodiments into a single workloadapplication having the infrastructure functionality. In some cases,several workload applications (e.g., more than 2, more than 10, or morethan 50), such as selected among those in the preceding list, may shareresources provided by the infrastructure code and functionalitydescribed herein.

In some embodiments, the lower-trust database 14 is one of the varioustypes of datastores described above. In some cases, the lower-trustdatabase 14 is a relational database, having a plurality of tables, eachwith a set of columns corresponding to different fields, or types ofvalues, stored in rows, or records (i.e., a row in some implementations)in the table, in some cases, each record, corresponding to a row may bea tuple with a primary key that is unique within that respective table,one or more foreign keys that are primary keys in other tables, and oneor more other values corresponding to different columns that specifydifferent fields in the tuple. Or in some cases, the database may be acolumn-oriented database in which records are stored in columns, withdifferent rows corresponding to different fields. In some embodiments,the lower-trust database 14 may be a relational database configured tobe accessed with structured query language (SQL) commands, such ascommands to select records satisfying criteria specified in the command,commands to join records from multiple tables, or commands to writevalues to records in these tables.

Or in some cases, the lower-trust database 14 may be another type ofdatabase, such as a noSQL database, like various types of non-relationaldatabases. In some embodiments, the lower-trust database 14 is adocument-oriented database, such as a database storing a plurality ofserialized hierarchical data format documents, like JavaScript™ objectnotation (JSON) documents, or extensible markup language (XML)documents. Access requests in some case may take the form of xpath orJSON-path commands. In some embodiments, the lower-trust database 14 isa key-value data store having a collection of key-value pairs in whichdata is stored. Or in some cases, the lower-trust database 14 is any ofa variety of other types of datastores, for instance, such as instancesof documents in a version control system, memory images, a distributedor non-distributed file-system, or the like. A single lower-trustdatabase 14 is shown, but embodiments are consistent with, and incommercial instances likely to include, substantially more, such as morethan two, more than five, or more than 10 different databases, in somecases of different types among the examples described above. In someembodiments, some of the lower-trust databases may be database of asoftware-as-a-service application hosted by a third party and accessedvia a third party application program interface via exchanges with, forinstance, a user's web browser or another application. In some cases,the lower-trust database 14 is a mutable data store or an immutable datastore.

In some cases, access to data in the lower-trust database 14, andcorresponding access to corresponding records in the secure distributedstorage 16, may be designated in part with roles and permissions storedin association with various user accounts of an application used toaccess that data. In some embodiments, these permissions may bemodified, for example, revoked, or otherwise adjusted, with thetechniques described in U.S. patent application Ser. No. 15/171,347,titled COMPUTER SECURITY AND USAGE-ANALYSIS SYSTEM (docket no.043788-0447379), filed 2 Jun. 2016, the contents of which are herebyincorporated by reference.

The database 14 is described as “lower-trust.” The term “lower-trust”does not require an absolute measure of trust or any particular state ofmind with respect to any party, but rather serves to distinguish thedatabase 14 from the secure distributed storage 16 which has certainsecurity features in some implementations described below and in somecases may be referred to as a “higher-trust” database.

In some cases, some of the data that an application writes to, or haswritten to, the lower-trust database 14 may be intercepted or moved tothe secure distributed storage 16 with techniques described below.Further, access requests from a workload application to the lower-trustdatabase 14 may be intercepted, or responses from such access requestmay be intercepted, and data from the lower-trust database 14 may bemerged with data from the secure distributed storage 16 that isresponsive to the request before being presented to the application, asdescribed in greater detail below. Further, read requests may beintercepted, modified, and iteratively executed in a manner that limitshow much information in the secure distributed storage is revealed to aclient computing device at any one time, as described below.

In some embodiments, the secure distributed storage 16 may include acollection of data centers 24, which may be distributed geographicallyand be of heterogeneous architectures. In some embodiments, the datacenters 24 may be various public or private clouds or on-premises datacenters for one or more organization-users, such as tenants, of thecomputing environment 10. In some embodiments, the data centers 24 maybe geographically distributed over the United States, North America, orthe world, in some cases with different data centers more than 100 or1,000 kilometers apart, and in some cases with different data centers 24in different jurisdictions. In some embodiments, each of the datacenters 24 may include a distinct private subnet through which computingdevices, such as rack-mounted computing devices in the subnetcommunicate, for example, via wrap top-of-rack switches within a datacenter, behind a firewall relative to the Internet 22. In someembodiments, each of the data centers 24, or different subsets of thedata centers 24, may be operated by a different entity, implementing adifferent security architecture and having a different applicationprogram interface to access computing resources, examples includingAmazon Web Services™, Azure from Microsoft™, and Rack Space™. Threedifferent data centers 24 are shown, but embodiments are consistentwith, and in commercial implementations likely to include, more datacenters, such as more than five, more than 15, or more than 50. In somecases, the datacenters may be from the same provider but in differentregions.

In some embodiments, each of the data centers 24 includes a plurality ofdifferent hosts exposed by different computational entities, likemicrokernels, containers, virtual machines, or computing devicesexecuting a non-virtualized operating system. Each host may have anInternet Protocol address on the subnet of the respective data center 24and may listen to and transmit via a port assigned to an instance of anapplication described below by which data is stored in a distributedledger. In some embodiments, each storage compute node 26 may correspondto a different network hosts, each network coast having a server thatmonitors a port, and configured to implement an instance of one of thebelow-described directed acyclic graphs with hash pointers implementingimmutable, tamper-evident distributed ledgers, examples include blockchains and related data structures. In some cases, these storage computenodes 26 may be replicated, in some cases across data centers 24, forexample, with three or more instances serving as replicated instances,and some embodiments may implement techniques described below todetermine consensus among these replicated instances as to state ofstored data. Further, some embodiments may elastically scale the numberof such instances based on amount of data stored, amounts of accessrequests, or the like.

Some embodiments may further include a domain name service (DNS) 18,such as a private DNS that maps uniform resource identifiers (such asuniform resource locators) to Internet Protocol address/port numberpairs, for example, of the storage compute nodes 26, the translator 20,and in some cases other client computing devices 12 or other resourcesin the computing environment 10. In some embodiments, a client computingdevice 12, a storage compute node 16, the database 14, or translator 20may encounter a uniform resource identifier, such as a uniform resourcelocator, and that computing entity may be configured to access the DNS18 at an IP address and port number pair of the DNS 18. The entity maysend a request to the DNS 18 with the uniform resource identifier, andthe DNS 18 may respond with a network and process address, such asInternet Protocol address and port number pair corresponding to theuniform resource identifier. As a result, underlying computing devicesmay be replaced, replicated, moved, or otherwise adjusted, withoutimpairing cross-references between information stored on differentcomputing devices. Or some embodiments may achieve such flexibilitywithout using a domain name service 18, for example, by implementing adistributed hash table or load-balancing that consistently maps databased on data content, for example based on a prefix or suffix of a hashbased on the data or identifiers of data to the appropriate computingdevice or host. For instance, some embodiments may implement a loadbalancer that routes requests to storage compute nodes 26 based on aprefix of a node identifier, such as a preceding or trailing thresholdnumber of characters.

Some embodiments may further include a virtual machine or containermanager configured to orchestrate or otherwise elastically scaleinstances of compute nodes and instances of the translator 20, forinstance, automatically applying corresponding images to provisionedresources within one or more data centers 24 responsive to need andspinning down instances as need diminishes.

In some embodiments, the translator 20 may be configured to execute aroutine described in greater detail below that translates between anaddress space of the lower-trust database 14 and an address space of thesecure distributed storage 16. In some embodiments, the translator 20may receive one or more records from the client computing device 12 thatis going to be written to the lower-trust database 14, or may receivesuch records from the lower-trust database 14, and those records may bemapped to the below-describe segment identifiers (or other pointers,such as other node identifiers) in the secure distributed storage 16.The translator 20 may then cause those records to be stored in thesecure distributed storage 16 and the segment identifiers to be storedin place of those records in the lower-trust database 14, such as inplace of individual values in records. In some embodiments, translationmay happen at the level of individual values corresponding to individualfields in individual records, like rows of a table in the database 14,or some embodiments may translate larger collections of data, forexample, accepting entire records, like entire rows, or plurality ofcolumns, like a primary key and an individual value other than theprimary key in a given row. Some embodiments may accept files or otherbinary larger objects (BLOBS). The translator 20 that may then replacethose values in the lower-trust database 14 with a pointer, like asegment identifier in the secure distributed storage, in the mannerdescribed below, and then cause those that data to be stored in thesecure distributed storage 16 in the manner described below. In someexamples, documents may be stored, which may be relatively smallstand-alone values to binary large objects encoding file-system objectslike word-processing files, audio files, video files, chat logs,compressed directories, and the like. In some cases, a document maycorrespond to an individual value within a database, or document maycorrespond to a file or other binary large object. In some cases,documents may be larger than one byte, 100 bytes, 1 kB, 100 kB, 1 MB, or1 GB. In some embodiments, documents may correspond to messages in amessaging system, or printable document format documents, MicrosoftWord™ documents, audio files, video files or the like.

In some embodiments, the translator 20 may include code that receivesrequests from drivers and facilitates the translation of data. In somecases, the translator 20 may be one of an elastically scaled set oftranslators 20 remotely hosted in a public or private cloud. Thetranslator may, in some cases, implement the following functions:

1. Validate Request

a. Using a database, some embodiments validate a combination of usersupplied parameters such as predefined software IDs, client IDs, andmachine specific identifiers registered at install time. This iscompared against a known list and then further verified with IP addressand/or other network specific parameters.

2. Data Validate

a. Parsing the HTTP body and then decoding some embodiments determinethe unique list of reference values to replace with plain text. Using adatabase, some embodiments first check if the requesting machine has therights to access the data. Next using a database, some embodiments findthe network name of the first hop of the piece of data and place into anarray.

3. Threshold Check

a. With the location of each unique requested segment (or node ordocument or content) identifier, some embodiments check against a seriesof threshold or rate objects. Some embodiments look for access rate,time window, or location based rules and apply the requested dataagainst a mapping of rules. If any particular data is breaking athreshold then an anomaly in the system is generated resulting innotifications and logging in some embodiments.

4. Jobs

a. The translator 20 may split up the data requests into jobs and placesthe job onto a work queue. The split may be done by a static per messagejob size and may use a deal-letter exchange to retry and finally failmessages

5. Response Function

a. Data may be returned from the queue and plain text values may bematched and replaced with the corresponding pointers (such as segment,document, node, or unit-of-content identifiers, which is not to suggestthat these or any other list of categories describe disjoint sets). Onceall jobs have returned the response a response may be returned in someembodiments.

In some embodiments, the client computing devices 12 may each execute anoperating system in which one or more applications 28 execute. Theseapplications may include client-side portions of the above-describedexamples of workload applications, which may include business logic andother program code by which a service in a micro-services architectureis implemented. In some embodiments, the applications 28 may bedifferent in different client computing devices, and an individualclient computing device may execute a plurality of differentapplications. In some embodiments, the applications 28 may be configuredto interface with the lower-trust database 14 via a database driver 32executed within the operating system. The database driver 32 may be anyof a variety of different types of drivers such as an ODBC driver, aJDBC driver, and the like. In some embodiments, the database driver 32may be configured to access the lower-trust database 14 via a networkinterface 34 of the client computing device 12, such as a networkinterface card connected to a physical media of a local area network bywhich the Internet 22 is accessed.

Some embodiments may further include a security driver 30 thatinterfaces between the application 28 and the database driver 32. Insome embodiments, the security driver 30 may be transparent to theapplication 28, such that an application program interface of thedatabase driver 32 is presented to the application 28 by the securitydriver 30, and that application program interface may be unmodified fromthe perspective of the application 28 relative to that presented by thedatabase driver 32 in some cases. In some embodiments, the securitydriver 30 may wrap an application program interface of the databasedriver 32, such that the security driver 30 receives application programinterface requests from the application 28 to the driver 32, acts onthose requests, and in some cases modifies those requests, and thenprovides the request in some cases with modifications to the databasedriver 32. Similarly, responses back to the application 28 may beprovided by the security driver 30 and in a manner consistent with thatprovided by the driver 32, as described in greater detail below.

In some embodiments, the security driver 30 is configured to engage thetranslator 20 after (or to perform) splitting data being written to (orattempting) the lower-trust database 14 by the application 28 intohigher-security data and lower-security data. Again, the terms“lower-security” and “higher-security” serve to distinguish dataclassified differently for purposes of security and do not requiremeasurement against an absolute security metric or a state of mind. Thelower-security data may then be written by the database driver 32 to thelower-trust database 14 in the manner provided for by the application 28without regard to whether the security driver 30 is present.

The higher-security data, on the other hand, may be stored in a mannerdescribed below by the translator 20 that renders that data relativelyrobust to attacks by malicious actors. When returning data to theapplication 28, for example in response to receiving a read request,these operations may be reversed in some cases. Again, these operationsare described in greater detail below. Generally, in some embodiments,the data from the lower-trust database 14 and the data from the securedistributed storage 16 may be merged by the security driver 30, in somecases, before that data is presented to the application 28. By acting onthe higher-security data within the client computing device 12, beforethat data leaves the client computing device 12, some embodiments mayreduce an attack service of the computing environment 10. That said, notall embodiments provide this benefit, and some embodiments may implementthe functionality of the security driver 30 outside of the clientcomputing devices 12, for example, in a database gateway, in a databasemanagement system implemented at the lower-trust database 14, or onanother standalone application executed in a computing device disposedbetween the lower-trust database 14 and the network and the clientcomputing device 12 in a path to the lower-trust database 14.

In some embodiments, the security driver 30 includes an outbound pathand an inbound path. In some embodiments, the outbound path includes anout-parser 36, a validator 38, a data multiplexer 40. The out-parser mayclassify values as higher-security or lower-security values applying oneor more rules in a data policy described below. The validator mayperform the statement validate function described below. The multiplexermay route data to the lower-trust database 14 or the translator 20 basedon the security classification. In some embodiments, the inbound pathincludes an in parser 42, and a data de-multiplexer 44. The inbound pathmay include a parser 42 configured to detect pointers to data in queryresponses from the lower-trust database 14 that point to data in thesecure distributed storage 16. The parser 42 may call the translator 20to request that pointers be replaced with more securely stored data. Insome cases, the de-multiplexer 44 may merge data from the translator 20with lower-security data in the same query response. In some cases, thesecurity driver may implement a process described below with referenceto FIG. 8 and perform the following functions:

1. Statement Parse

a. For a SELECT statement, there could be a WHERE clause which islooking to match data in a protected column. During this phase, someembodiments parse the SELECT statement and check if there is a need toflip any plain text values in the WHERE clause into the reference space.The statement may be marked for processing and passed along.

b. For an INSERT or UPDATE statement, there could be data in either thestatement body or the WHERE clause (INSERT). During this phase, someembodiments parse the statement and check if there is a need to flip anyplain text values in the WHERE clause or body into the reference space.The statement may be marked for processing and passed along.

c. The security driver may use a locally kept copy of the currentprotection settings for a given client. In some embodiments, it is thislocally kept and updated (e.g., periodically or constantly) table thatthe database, table, and column names in the statements are comparedagainst. The time between getting a new state table is determined byvarious factors.

2. Statement Validate

a. During the operation of a database command some embodiments check thestatement for potential injection or other malicious SQL statements andblock the query or log that the event happened. This is a locallysupported operation that can be done by each driver in some cases.

3. Statement Process

a. Depending upon the results of Parse, the driver may make HTTPrequests to a preset URL and asks for plain-text data to be switchedinto the reference space, e.g., by the translator 20.

b. The statement may be updated with reference space data if needed andthe statement may be delivered to the lower-trust database 14 server.

4. Result Set Process

a. For a SELECT statement the result set is processed and if columns inthe returned data match any entries in the locally held table, thesecurity driver 20 may perform HTTP requests to switch reference spacedata to plain text space.

b. The driver 30 may iterate over the data and selects distinct valuesto place into an HTTP body and requests made using a preset URL andsystem DNS 18, e.g., by engaging the translator 20.

c. Data may be returned and replaced for each occurrence in the resultset and returned to the application 28 in some cases.

Various aspects of the system above, or other architecture may implementvarious techniques expanded upon below under distinct headings.

Immutable Datastore for Low-Latency Reading and Writing of Large DataSets

Generally, traditional databases do not adequately protect againstthreat actors or internal resources (employees, information-technologystaff, etc.) tampering with the data. At best, such systems typicallyprovide audit access and the ability to modify the stored data, but theaudit logs typically are mutable and, thus, can be changed just aseasily as the data.

Recent immutable examples of databases include blockchain-baseddatabases, such as bitcoind and MultiChain. Blockchain systems are builtupon ideas first described in a paper titled “Bitcoin: A Peer-to-PeerElectronic Cash System” under the pseudonym Satoshi Nakamoto in October2008. These systems typically implement a peer-to-peer system based onsome combination of encryption, consensus algorithms, and proof-of-X,where X is some aspect that is difficult to consolidate across thenetwork, such as proof-of-work, proof-of-stake, proof-of-storage, etc.Typically, those actors on a network having proof-of-X arrive at aconsensus regarding the validation of peer-to-peer transactions, oftenusing various consensus algorithms like Paxos, Raft, or hashgraph. Orsome private blockchains do not implement proof-of-X consensus, e.g.,where the computing hardware implementing the blockchain is controlledby trusted parties. Chained cryptographic operations tie a sequence ofsuch transactions into a chain that once validated, is typicallyprohibitively computationally expensive to falsify.

However, many extant blockchain-based databases are not well suited forcertain use cases, particularly those involving latency-sensitive access(e.g., reading or writing) to large files (e.g., documents or othercollections of binary data treated as a single entity, often called“blobs”), for instance in a blockchain-hosted filesystem. Indeed, manyblockchain databases are not readily configured to store large objectsand object files (e.g., on the order of 500 kilobytes or larger,depending on the use case and acceptable latency), as such systems aretypically highly specialized for small-payload “transactional”applications. In such systems, when storing larger collections of binarydata (e.g., files or blobs), the chain can dramatically slow as thechain gets bigger, particularly for write operations.

As noted above, blockchains generally allow for small bits ofinformation to be stored in an immutable data structure, but the momentdata in the chain is altered, the chain is broken and can no longerfunction in a manner that represents the data to be valid. The mostcommon blockchain implementation is the publicly accessible Bitcoinledger (for which Blockchains were designed).

As noted, such systems present certain problems for some use cases.These, and other problems are mitigated by some embodiments of a systemreferred to below as “Docuchain.” Docuchain is a blockchain softwaresuite specifically designed for low-latency put and get operations ofBinary Large Objects (BLOBs). Docuchain, in some embodiments, uses animproved version of an underlying data structure called “Merkle Trees”to provide the immutable properties of the Blockchain. In someembodiments, Docuchain is operative to respond to commands within lessthan 50 milliseconds (ms), e.g., and many commercial implementations areexpected to provide sub 10 ms operations as perceived by the applicationinteracting with the chain, and sub 5 ms operations at the level of thechain. Further, such response times are expected to scale with the chainsize. Some embodiments may scale response times at n log(n), wherein nis the number of entries in the chain.

Merkle Trees generally work by a tree of cryptographic hashes in whicheach element of the tree contains a hash of the information contained byits children, and leaf elements are hashes of the subject data stored inthe Merkle Tree. In many traditional implementations of Merkle Trees forthe purposes of storing data, like those in many earlier blockchaindatabases, the data is stored in a separate logical datastore, hashed,and just the hash is carried into the Merkle Trees. That is, the databeing by the database stored is not part of the Merkle Tree, only a hashdigest of the data is part of the Merkle Tree.

To mitigate some of the problems with traditional blockchain databases,some embodiments of Docuchain store the data directly in Merkle Trees,though embodiments are not limited to data storage in Merkle Trees,which is not to suggest that other descriptions are limiting. That is,when data is written to the database or read from the database, thatdata is written into specific fields of the elements (e.g., attributesof node content of nodes) of the Merkle Tree or read from specificfields of the elements of the Merkle Tree (rather than just a hashdigest of the data residing in the Merkle Tree with the entire dataresiding in an external datastore). With this tight coupling, if thedata is altered at all, the entire hash for the tree (as is distinctfrom a hash of a file stored in the database) is thrown off immediatelyand ultimately the chain will be broken and detected as such duringvalidation operations. Additionally, some embodiments prevent the BLOBfrom ever being stored in an external (potentially mutable and lesssecure) datastore. Finally, the tight coupling of the data to the treeis expected to reduce the number of read/write operations necessary totransact with the chain, further reducing potential latency.

In some embodiments, Docuchain contains two components: LibDocuchain andDocuSocket.

In some embodiments, LibDocuchain is a software library that containsthe following data structures:

-   -   MerkleTree<H, T>    -   DataBlock<H, T>    -   BlockManager<H, T>

where “H” represents a cryptographic hashing function, and “T”represents the data type being stored in the chain. Generally, hashingfunctions map data of arbitrary size to data of fixed size. Examples ofcryptographic hash functions include SHA256, SHA-2, MD5, and the like(e.g., applied more than once Docuchain, in some embodiments, can use avariety of different types of hashing functions and this is expected toinclude later developed hashing algorithms (e.g., new post-quantumcryptographic hashes).

The BlockManager, in some embodiments, is responsible for taking data,placing into the appropriate block and inserting into the appropriateMerkle tree, writing to disk at the appropriate times, increasing (e.g.,guaranteeing) chain durability (i.e., tamper-resistance). Additionally,in some embodiments, there is a JobManager that manages concurrentoperations on the datastructures to deliver operation times.

In some embodiments, DocuSocket is a software library that maintainsconnections to clients, e.g., remote computing devices seeking to accessdata stored in the database. Connections from clients may be relativelystateless (and in some cases, after a session is confirmed there is nofurther state). A connection, in some embodiments, can accept anarbitrary amount of requests in an arbitrary order and will returnresponses to the requests in arbitrary order. Example, the connectionmight receive write (A), write (B), read (C) operations, and in someembodiments, the Docusocket may respond to request C before A or B.However, once a transaction response comes for A or B, those operationsin some embodiments are considered final and are committed to the chainand are instantly queryable. This “always-on” and highly-availableconnection is one differentiator that allows Docusocket to out-performstandard blockchains in comparable benchmarks. (That said, not allembodiments afford these benefits, as various independently usefulinventions are described, and some of those inventions might be used toother ends.)

Write requests, in some embodiments, are accepted through Docusocket andpassed off to BlockManager for writing into a MerkleTree object. In somecases, the result of this operation is a hash composed from the positionin the MerkleTree, the hash from the previous block, and the contents ofthe data that is written; this is called the Transaction ID (TXID),which is an example of a node identifier or pointer (which is not tosuggest that these or other categories are disjoint). In someembodiments, these TXIDs are stored in alternate data stores for laterreferencing and retrieval, e.g., in the lower-trust database 14 in placeof the data to which they point, or in a lower-trust file system inplace of documents referenced by the TXIDs. In some cases, the TXID'sare segment pointers to a linked list of segment pointers and segmentsthat encode the stored data.

As noted, earlier blockchain databases are capable of storing blobs, butthe way in which the data is stored and accessed often imposes severperformance penalties when accessing larger collections of data (e.g.,larger BLOB s). Such systems often rely on additional functionalityoriginally intended to handle the transactive nature of bitcoins andother cryptocurrencies. This additional functionality is often providedby an “in-chain” scripting language which defines the transactions thatenter the chain. For many use cases, this is a secure and efficientmethod of maintaining a ledger, however for larger chains, thesefeatures come at significant time complexity cost, particularly in writeoperations. As these chains grow, they become significantly slower.Blockchain document databases that store the documents in-chain areexpected to grow very fast, thus putting significant limitations on whatis practically possible with prior technology.

In contrast, because some embodiments of Docuchain store data in itsexact representation (which should not be read to exclude varioustransformations and may include storing a compressed, encrypted copy ofthe data) directly in the Merkle Tree, those embodiments are expected tobe able to circumvent the need to have the in-chain scripting languageand are able to provide O(log(n)) get/put operations on a tree once itis loaded in memory. Further, storing the data being committed to thedatabase, rather than just a hash digest, in the Merkle Tree is expectedto impede (and in some cases defeat) hash collision attacks on thestored data. In such attacks, malicious content is selected and designedto produce the same hash as stored data, and that malicious data issubstituted in the database for the authentic data. With traditionalsystems, the Merkle Tree will yield a hash value that validates themalicious content as authentic. In contrast, some embodiments circumventthis attack vector by storing the data committed to the database in theMerkle Tree. Further, some embodiments may detect changes without theneed to continually verify each BLOB with its respective hash digest ona continual basis, unlike many systems that merely store a hash digestof the BLOB in the chain. That said, not all embodiments afford thesebenefits, e.g., some embodiments may avoid the use of traditionalin-chain scripts to access hashed digests in the chain, without storingthe entire document, thereby expediting operations.

These libraries may implement an example of a process shown in FIG. 2 ,which shows an example of a process 50 that may be implemented to storeand access documents in a, immutable, tamper-evident data structure, anexample of which is shown in FIG. 3 . In some embodiments, the process50 may be implemented in the computing environment 10 described above,but it should be emphasized that embodiments are not limited to thatimplementation, which is not to suggest that any other description islimiting. Indeed, some embodiments may implement versions of the processshown on a single computing device as part of a monolithic application,such as a file manager that stores documents locally in the describedfashion.

In some embodiments, the operations of the process 50, and the otherprocesses described herein, may be implemented in a different order fromthat described, may include steps that are repeated, may include stepsthat are executed concurrently, may include steps that are omitted, ormay be otherwise differently arranged from the exemplary arrangementsdescribed, none of which is to suggest that other descriptions arelimiting. Further, the operations of the process 50 and the otherprocesses and functionality described herein may be implemented byexecuting instructions stored on a tangible, non-transitory,machine-readable medium with one or more processors, such that when theinstructions are executed, the described functionality is effectuated.In some cases, notwithstanding the use of the singular medium, theoperations may be stored on multiple media in a distributed fashion, forexample, with different subsets of the instructions stored in memory ofdifferent computing devices that execute those different respectiveinstructions, an arrangement which is consistent with the singular“medium” as that term is used herein. Further, storage of data need notbe persistent in the absence of power and may be effectuated with eitherpersistent data storage or dynamic data storage, such as dynamic randomaccess memory that may dissipate stored data when power is removed.

In some embodiments, the process 50 includes receiving a write commandrequesting that a document associated with the write command be storedin an immutable data structure, as indicated by block 52, such as atamper-evident immutable data structure. In some cases, the writecommand may be a SQL command to write to the above-described lower-trustdata store 14 from the application 28 received by the security driver30, or the command may be a command to store a file or other document ina file system. For instance, in some cases, the write command may be arequest received by a file manager of an operating system to store afile in a repository presented as a network drive within a userinterface of the operating system, where some or all of the networkdrive is hosted in the immutable data structure like that describedbelow with reference to FIGS. 3 and 5 . In some embodiments, the writecommand may be generated programmatically, or in some cases the writecommand may be generated responsive to a user input requesting that, forexample, a document be stored. As noted above, the term “document” isused relatively expansively herein and may include storage of anindividual bites of information, or larger binary large objects, such asfiles ranging up to multiple gigabits or larger. Files may includestored data associated with metadata, like author, file-size, creationdate, modification date, a file-name, an extension, and the like. Suchfiles may be consistent with the definitions of files in the Windows™,Android™, iOS™, Linux™, or Mac™ operating systems.

The term “immutable” in the phrase “immutable data structure” refers toan arrangement of data that the computing system and write the rightcommand is configured to leave in place even after the informationrepresented by the data changes. For example, the data might represent auser's telephone number, and embodiments using an immutable datastructure may write a new record indicating a new telephone number,rather than overwrite an existing record. Thus, both the older versionand the newer version are preserved (and may be labeled as the older ornewer version) even after the value changes. Such embodiments may thenreference a most recent representation of the value for that field toeffectuate the change, rather than deleting the old instance. In someembodiments, the immutable data structure may be a tamper-evident datastructure that is computationally infeasible to modify without themodification being detectable to a party auditing the data structure.Some embodiments may implement cryptographic hash pointers describedbelow in a directed acyclic graph that make it computationallyinfeasible for a party to modify stored data without those modificationsbeing evident in virtue of inconsistent hash values elsewhere in thedata structure. Computational feasibility may depend on the use case,for example, whether economics and time available provide for certainamounts of competing resources to be brought to bear. In many cases, anoperation requiring more than 10{circumflex over ( )}128 hashes onaverage to manufacture a collision with altered data may be said to becomputationally infeasible.

In some embodiments, the process 50 may include forming nodes of adirected acyclic graph having node content that includes the document,as indicated by block 54. Forming nodes may include accessing existingnodes and inserting node content into those nodes or forming entire newdata structures by which nodes are encoded. In some embodiments, eachnode may include node content with a collection of attributes, which insome cases may include a pointer to another node. In some embodiments,those node attributes may include a pointer that is an identifier of anadjacent node in the directed acyclic graph and a cryptographic hashvalue based upon one or more attributes of the adjacent node that isidentified. In some embodiments, these last two pair of attributes (anidentifier of another node and cryptographic hash value of at least someof that node's content) may correspond to a cryptographic hash pointerfrom one node to another. Cryptographic hash pointers may define edgesof the graph in some embodiments. In some embodiments, an individualnode may contain zero cryptographic hash pointers (such as a leaf nodein a binary tree), a single cryptographic hash pointer (such as a linkin a block chain or linked list), a pair of cryptographic hash pointers(such as in a non-leaf node of a binary tree directed acyclic graph), orvarious other amounts of cryptographic hash pointers, for example, insplay trees or skip lists.

In some embodiments, the node attributes include an identifier of therespective node. In some embodiments, the identifier may be a segmentidentifier of the type described below, or in some cases the identifiermay be an identifier within a namespace of the directed acyclic graph,for example, a count that increments with the addition of each node. Insome embodiments, the identifier may be arranged hierarchically, forexample, indicating a block and a block chain and then a sequence ofbinary values that specify a path through a binary tree, as is used inprefix trees in some cases (e.g., the value 00101 may define a path froma root node to the left, left, right, left, and then right, with leftexpressed as 0 and right expressed as 1, in a binary tree). In someembodiments, the identifier of a node is content-based, for example, acryptographic hash value or non-cryptographic hash value based on one ormore or all of the attributes of the node, which may include hashpointers of that node.

In some embodiments, the document may be stored in a single node of thedirected acyclic graph. Or in some cases, the document may be segmentedand stored in multiple nodes, for example consistent with the techniquesdescribed below with reference to FIGS. 4 through 6 . In someembodiments, some nodes of the graph may store other documents orportions of other documents. In some embodiments, nodes may be added tothe graph over time, in some cases with groups of nodes addedsequentially. In some embodiments, attributes of nodes or blocks ofnodes (which may themselves be characterized as nodes in some cases) mayfurther include a timestamp at which the node was formed, an identifierof a tenant account or data repository where data in the note is storedin the lower-trust data store 14, a date the node was created, and thelike.

In some embodiments, groups of nodes may be added as a “block,” forinstance with each block corresponding to a binary tree having documentsstored in leaf nodes. Or blocks may be linked lists, skip lists, splaytrees, or combinations thereof, for example. In some embodiments, anindividual node may store multiple documents as attributes of that node.In some embodiments, blocks have an integer index, a block capacity, acryptographic hash value based on all of the nodes in the block (like aMerkle root), the nodes within the block, and a cryptographic hash basedon content of a previous block (e.g., based on all values in the block,based on a Merkle root of that block, or the like).

In some embodiments, forming the nodes of the directed acyclic graphincludes forming (e.g., updating or creating) a sequence of nodes alongone or more paths through the directed acyclic graph. In someembodiments, this may include calculating one or more cryptographic hashvalues to form one or more cryptographic hash pointers along this path,which in some cases may include or terminate with a node in which thedocument is stored or a portion of the document is stored, such thateach cryptographic hash pointer along the path is based on the document.

Cryptographic hash pointers may be based upon a cryptographic hashfunction which may take a plurality of inputs, such as one or more nodeattributes and produce an output of fixed size. These functions may havepre-image resistance, second pre-image resistance, and collisionresistance. Examples include an SHA-256, BLAKE, BLAKE2, SHA-1, SHA-2,and SHA-3 hash function. In some embodiments, the cryptographic hashfunction may be a one way function in which a given string of inputproduces deterministically a string of output that is relativelydifficult or impossible to reverse to determine the input from theoutput while being relatively easy to confirm that an input correspondsto the output. For example, it may be computationally infeasible toidentify a hash collision in which different instances of the inputproduce a given output. In some embodiments, the cryptographic hashfunction may implement the Merkle-Damgård construction.

In some embodiments, the cryptographic hash function may be based upon acompression function that accepts a fixed size input and produces afixed sized output with a one-way compression function. In someembodiments, because the input to the cryptographic hash function may bea variety of different sizes, the transformation may be performed in avariety of iteration and a plurality of iterations. Some embodiments maydetermine a length of input, such as a number of bytes, accepted by theone-way compression function, a length of output of the one-waycompression function and determine a difference between these twolengths. Some embodiments may then parse an input to the cryptographichash function into sequences of a size of this difference anditeratively input the parsed sequence into the one-way compressionfunction and then combine the output of that iteration with a nextportion parsed portion from the input, for example, incrementing from abeginning to an end of an input and iteratively concatenating, forexample, prepending or appending or otherwise intermingling the outputof the previous iteration of the one-way compression function with anext parsed portion of the input to the cryptographic hash function.Some embodiments may repeat this until an end of the input to thecryptographic hash function is reached (e.g., reaching a point withinsome threshold number of bytes or the last byte), as indicated by block56. In some embodiments, for example, where a plurality of inputs areapplied, some embodiments may combine these inputs in a variety ofapproaches, for example prepending or appending or otherwiseintermingling these inputs to form a string upon which these operationsmay be performed to produce a fixed sized output that is based upon theentirety of the input. The resulting directed acyclic graph may bestored in memory.

Before completing discussion of FIG. 2 , it is helpful to describe anexample of a directed acyclic graph like that used in the process ofFIG. 2 . FIG. 3 shows an example of a directed acyclic graph 70consistent with the present techniques. In some embodiments, thedirected acyclic graph 70 may include a plurality of blocks in asequence, such as blocks 72, 74, and 76, which may be arranged in alinked list, with links formed by cryptographic hash pointerscorresponding to the illustrated arrows between the illustrated blocks.In some embodiments, the block 72, 74, and 76 may be added sequentially,over time, for example as each block is completed. In the illustratedexample, the block 72 may be a most recent block, while a block 76 maybe an earliest block. In some embodiments, the cryptographic hashpointers between each of the blocks may be based upon node content inthe preceding block, and that node content may include a cryptographichash pointer based on node content in the preceding block to that block.Thus, a cryptographic hash value of the cryptographic block 72 may bebased upon each of the preceding blocks' cryptographic hash values andall content rendered tamper-evident by the data structure.

In some embodiments, each block may include a binary tree with a rootnode 80. In some embodiments, each of the arrows between blocks in thebinary trees of each of the block 72, 74, and 76 may also becryptographic hash pointers, for example, based on an identifier of thenode to which the cryptographic hash pointer points and a cryptographichash value based upon node content of that node, which may include anattribute of that node that is itself a cryptographic hash value ofanother hash pointer. Thus, in some cases, a cryptographic hash value ofa root node 80 may be based upon node content of every node of thebinary tree in each block 72, 74, or 76. In some embodiments, the node80 may include three such hash pointers, corresponding to six nodeattributes, the six attributes including three pairs of node identifiersand cryptographic hash values based on node content of those nodes. Insome embodiments, node content may further include a cryptographic hashvalue based upon each of these values, or such a cryptographic hashvalue may be stored in another node that points to that node. Theillustrated graphs are acyclic. As that term is used herein, it mayrefer to an acyclic subset of a larger cyclic graph. Thus, claims toacyclic directed graphs may not be avoided simply by adding an un-usedcycle.

In some embodiments, the binary tree structure may facilitate relativelyfast access to records within a given binary tree once a given block 72,74, or 76 is identified. In some embodiments, to expedite access tospecific blocks, some embodiments may include a skip list datastructure, for example, with another node or value within node 80 thatincludes a cryptographic hash pointer to some number of blocks earlierin the sequence, for example, to a block four positions earlier, anotherto a block eight positions earlier, another to a block 16 positionsearlier, another to a block 32 positions earlier, and so on. Someembodiments may thus, skip over some portions of the sequence of blocksto access a specified block. Three blocks 72, 74, and 76, are shown, butis expected that commercial embodiments will include substantially more,for example more than 50, more than 100, more than 500, more than athousand, or more than 10,000 blocks in a given directed acyclic graph70. In some embodiments, an earliest block 76 may include acryptographic hash pointer to a seed node 78, which may include a randomvalue (e.g., a pseudo random value) longer than 64 bytes as node contentas an attribute to provide a minimum level of entropy for eachsucceeding cryptographic hash value that points directly or indirectlyto the node 78.

In the illustrated example, the blocks 72, 74, and 76 include binarytrees with three levels of hierarchy, but embodiments are expected toinclude more, for example four levels, five levels, six levels, sevenlevels, eight levels, or more levels of hierarchy, each including twiceas many blocks as a proceeding level in the hierarchy. In someembodiments, the binary trees may be balanced binary trees, or in somecases the binary trees may be unbalanced. In some embodiments, nodes inthe binary trees below a lowest level, such as nodes 80, 84, and 86 thatare non-leaf nodes, may include node content that is based oncryptographic hash pointers but not based on node attributes in thosenodes that store content of documents, or in some cases documents mayalso be stored in these nodes. In some embodiments, content ofdocuments, such as documents themselves or portions of documents may bestored in attributes of node content of leaf nodes 88, 90, 92, and 94,such as an individual one of these leaf nodes in some cases. Thus, forexample a given document stored in leaf node 90 as an attribute in nodecontent of leaf node 90 may cause a cryptographic hash value in acryptographic hash pointer of nodes 84 and 80 to be based upon thatdocument. As a result, a modification to the document stored in node 90may cause the cryptographic hash pointers in nodes 80 and 84 to beinconsistent with that document, as cryptographically hashing themodified document is not expected to yield the same cryptographic hashvalue in the cryptographic hash pointers of these nodes 80 and 94. Insome embodiments, this verification operation may be repeated along asequence in a path of such nodes connected by cryptographic hashpointers, in some cases from or to any leaf node up to a most recentroot node added to the directed acyclic graph 70, thereby relativelygranularly identifying a node with data from a workload application thathas been modified and relatively reliably making that data tamperevident due to the computational infeasibility of crafting hashcollisions consistent with the modification to the data along the path.In some cases, leaf nodes may be arranged based on the content, e.g.,with each leaf node from left to right storing a range of values, oreach leaf node storing up to a threshold amount of data arrangedalphabetically, temporally, or in some other arrangement.

In the illustrated directed acyclic graph 70, a sequence of binary treesare shown, but embodiments are consistent with other types of directedacyclic graphs. In some embodiments, the directed acyclic graph is agraph with no unconnected sub graphs. In some embodiments, the directedacyclic graph is a single binary tree, or in some cases the directedacyclic graph is a splay tree of binary trees or a binary tree of splaytrees. In some embodiments, the directed acyclic graph includes a skiplist of splay trees or binary trees. In some embodiments, the directedacyclic graph includes a binary tree of skip lists or splay trees orlinked lists. (Some embodiments may facilitate re-arrangement of treesand other structures to facilitate faster access with abstractcryptographic hash functions described below, or hash pointers may berecalculated upon restructuring).

Thus, the directed acyclic graph 70 may include a plurality of nodes,some of which have node content that includes cryptographic hashpointers correspond to edges in the directed acyclic graph 70, and someof which includes node content that includes as attributes workloadapplication data that is secured by the directed acyclic graph 70.

In some embodiments, the directed acyclic graph 70 may take the form ofa distributed ledger, such as a block chain having a linked list ofblocks, with each block including a Merkel tree having a Merkel rootthat serves as a node attribute of the respective block, and subsequentblocks having node attributes that include cryptographic hash valuesbased on the Merkel root of each proceeding block.

In some embodiments, adding nodes or collections of nodes, such asblocks, to the directed acyclic graph 70 may be implemented in auntrusted computing environment by untrusted computing devices, in somecases based on a consensus protocol (like Paxos, Raft, or others) inwhich different computing devices perform or demonstrate some proof ofsomething that is difficult to consolidate, such as proof of work orproof of storage, for instance, by calculating a hash collision to athreshold number of prefix or suffix digits of a cryptographic hashvalue. In some embodiments, a collection of untrusted computing devicesmay execute a consensus algorithm to determine whether blocks should beadded or are valid, for example. Or to expedite operations, someembodiments may avoid the overhead associated with proof of work orstorage techniques by executing within an environment in which morecontrol is exercised over the hardware that performs the operationsdescribed herein.

It should be emphasized that a data structure need not be labeled as agraph or as having nodes or edges in program code to constitute a graph,as long as the data structure includes linking between data elementspresent in a graph. In some cases, graphs may be encoded as a list oflinks between data elements, for example, in a key-value pair, or in ahierarchical data structure, such as in a hierarchical dataserialization format, like JOSN or XML. Graphs may also be encoded asrelationships in a relational database. Further, multiple datastructures, such as different graphs, may be overlaid on one another,for example in the manner described below, while still preserving theexistence of the distinct graphs.

In some embodiments, each of the above-described storage compute nodes26 may store one or more instances of a directed acyclic graph 70 likethat shown in FIG. 3 . In some embodiments, a given directed acyclicgraph may be replicated in multiple instances on multiple storagecompute nodes 26, for example, in multiple data centers 24. In somecases, an odd number of replicated instances may be stored. When readingdata back, some embodiments may implement a consensus protocol todetermine an authoritative copy, for example identifying a version of adocument returned by a plurality or a majority of the replicatedinstances following a read operation like that described below.

In some embodiments, a given directed acyclic graph 70, which may bereplicated in multiple instances, may store data from a single workloadapplication from a single tenant, and in some cases a subset of datafrom a single workload application, or data may be mixed. In someembodiments, a given directed acyclic graph may store data from multipleapplications of a given tenant. In some embodiments, a given directedacyclic graph may store data from multiple tenants, depending upon theimplementation.

In some embodiments, as data is accumulated, when the directed acyclicgraph 70 exceeds a threshold size, a new directed acyclic graph may beinstantiated, for example, using a cryptographic hash value of a rootnode of a last block added to a previous directed acyclic graph as aseed value 78 in a seed node.

Thus, FIG. 3 shows an example of a directed acyclic graph in whichdocuments stored with the process of FIG. 2 may be stored in atamper-evident fashion in an immutable data structure. As the documentis a revised, new records may be added with new versions of the documentto the data structure 70, and pointers to a most recent version of thedocument may be updated, for example, in the lower-trust database 14 toreference those newer versions. In some embodiments, these pointers mayimplement techniques described below by which pointers are substitutedfor records in a data store. In some embodiments, those pointers maypoint to an individual node in an individual directed acyclic graph. Insome embodiments, the pointers are node identifiers or the belowdescribed segment identifiers.

In some embodiments, the translator 20 described above may maintain inmemory an index that maps pointers to uniform resource identifiers ofstorage compute nodes 26 and directed acyclic graphs maintained by thestorage compute nodes, and in some cases, the DNS 18 may map thoseuniform resource identifiers to Internet Protocol addresses and portnumbers of the corresponding storage compute nodes 26. Thus, after adocument is written to the directed acyclic graph 70, a pointer, such asa node identifier that distinguishes that node from among all othernodes accessible to a given application, tenant, or all tenants, may bestored in the lower-trust database 14 or other data store in place ofthe document.

In some embodiments, the directed acyclic graph 70 may be periodicallyverified for internal consistency to detect instances of tampering withdocuments. Some embodiments may recalculate cryptographic pointers alongvarious paths, for example, each time a new document or other record isadded to the directed acyclic graph 70, for example, each time a newblock is added. Upon detecting a path in which the cryptographic hashpointers do not correspond to a document or other node content in thatpath, some embodiments may designate that document or other values ashaving been modified. Some embodiments may further emit an alarm, e.g.,send an email, send a text message, and suspend various user accounts,such as users that have access the document responsive to detectingtampering. To detect tampering, some embodiments may recalculate thecryptographic hash values for each cryptographic hash pointer along eachpath to each document and determine whether the recalculatecryptographic hash values match those stored as node attributes of nodesstoring the respective cryptographic hash pointers. Thus, if a givendocument, for example in node 90 of block 72 is tampered with afterstorage, the cryptographic hash pointer from block 84 to block 90 willnot match the stored cryptographic hash value in the node attribute ofnode 84, nor will the cryptographic hash pointer from block 80 to block84 match the stored value in the node 80. Further, if additional blockswere added subsequent to block 72, the cryptographic hash pointersbetween blocks subsequent to block 72 will also fail to match, therebyproviding a traceable path from a most current node back to a node inwhich the node content was tampered with by an attacker. In someembodiments, these verification operations may be performed each time anode is written, each time a block is written, periodically, likehourly, daily, or weekly, or each time a read operation is performed.

FIG. 2 further includes operations by which a document may be read backfrom the secure distributed storage 16. In some embodiments, theoperations of process 50 may include receiving a read command requestingthat the document be retrieved from the immutable data structure, asindicated by block 60. In some cases, the read command may be receivedafter the write command, e.g., substantially later, for instance morethan an hour, day, or week later. In some cases, the read command may bereceived after multiple write commands for the same document in whichdifferent versions are written to different nodes in different blocks,and in some cases to different directed acyclic graphs like thosedescribed above with reference to FIG. 3 . In some embodiments, the readcommand may reference an identifier of a document that indicates a mostcurrent version of the document is to be retrieved, or in some cases theread command may reference a particular version of the document. In somecases, receiving the read command may cause the security driver 30 toaccess the lower-trust database 14 or other lower-trust data store andretrieve a pointer to a node or sequence of nodes in which the specifieddocument is stored. As noted above, in some cases the pointer may be avalue that maps to a uniform resource identifier that the DNS 18 maps toan Internet Protocol address and port number where the correspondingnode is stored in a corresponding directed acyclic graph.

Next, some embodiments may access one or more nodes of the directedacyclic graph to retrieve the document, as indicated by block 62. Insome cases, this may include sending a pointer to a node at which atleast part of the document is stored to the translator 20, accessing auniform resource identifier of a directed acyclic graph in which thenode resides in an index stored by the translator 20, converting theuniform resource identifier to an Internet Protocol address and portnumber pair with the DNS 18, requesting the corresponding node from thestorage compute node 26 hosting the specified directed acyclic graph atthe Internet Protocol address and port number, and returning therequested document to the requesting application 28.

Further in some cases, accessed documents may be verified. For example,some embodiments may recalculate cryptographic hash values based on thedocument along a path from a most current node of the directed acyclicgraph back to the document (or a subset thereof) and determine whetherany calculated cryptographic hash values do not match those stored inthe respective nodes of the directed acyclic graph, as indicated byblock 64.

For clarity of terminology, it should be noted that the storage computenodes 26 refer to computing entities (e.g., a service topology), whilethe nodes of the directed acyclic graph 70 refer to elements of a datastructure.

Embodiments may determine whether these calculated values are internallyconsistent, as indicated by block 66. This may include determiningwhether calculated values match those stored in the node pointers of thedirected acyclic graph 70. Upon determining that the values match, someembodiments may return the requested document, as indicated by block 69.Upon determining that the values do not match, some embodiments mayindicate that the document has been modified, as indicated by block 68.Thus, an entity retrieving the document may have some confidence thatthe document has not been tampered with. Further, because someembodiments store the document in the nodes, the document may beretrieved relatively quickly (e.g., within 200 ms, 100 ms, or 50 ms),even when storing relatively large amounts of data, e.g., more than 100GB or more than 10 TB. Though embodiments are not limited to systemsaffording these benefits, as independently useful techniques aredescribed, which is not to suggest that any other description islimiting.

In some embodiments, documents or other values written to the securedistributed storage 16 in nodes of directed acyclic graphs 70 may besubject to various types of encoding prior to write operations. In someembodiments, data may be encoded with redundant information such that ifsome of the data is modified before writing or after writing, theencoding reveals errors and in some cases provides enough redundantinformation that data may be recovered. For example, some embodimentsmay encode the data with Hamming codes or Turbo codes such that if asubset of the data is lost, the document may be reconstructed based onredundant information in another part of the document. In anotherexample, data may be compressed, for example, with entropy coding tofacilitate reduced use of bandwidth and faster retrieval. In someembodiments, sequences of values in a document may be analyzed toidentify frequencies with which sequences occur, and those sequences maybe mapped to a dictionary in which relatively frequent characters arerepresented with relatively short values, while longer less frequentsequences are mapped to longer values. The mapping and dictionary maythen be stored in the secure distributed storage in a compressed format.In some embodiments, after compression, some embodiments may encrypt thedata as well, for example, with a symmetric encryption algorithm inwhich keys are maintained by the client computing device 12, forinstance, by XOR'ing the document with a random string that serves asthe symmetric key. In some cases, the symmetric key may be stored in thedistributed storage 16 in the manner described above.

Fragmenting Data for the Purposes of Persistent Storage Across MultipleImmutable Data Structures

As noted above, traditional databases do not adequately protect againstthreat actors or internal resources (employees, information-technologystaff, etc.) tampering with the data. Data residing in singular logicalspaces presents an easy target for threat actors. Once the computingdevice upon which the data is stored is compromised, the entirety of thedata is potentially at risk. Similar problems arise when a singlecomputing device controls access to all other computing devices indistributed master-slave architectures, as once the master-device iscompromised, data on other devices is potentially exposed.

Techniques exist for storing data in a distributed form in apeer-to-peer network, but such systems often present other problems.Examples include various systems built around the BitTorrent protocol.These systems often operate without a central authority to becompromised. But in these systems, when or if the data is altered(potentially for the purposes of hiding or obfuscating changes), thereis no recourse or method to detect these changes. Further, manydistributed peer-to-peer storage networks, like many implementing theBitTorrent protocol, maintain full copies of files (or other BLOB s) ateach peer, potentially leaving the full file open to inspection by anuntrusted party.

To mitigate these issues and others, in some embodiments, when writingdata, a component referred to as an “arbiter” (which may be a piece ofmiddleware and may be implemented in the translator 20) may be capableof taking as an input a fully formed datum (e.g., a unit of content,like a document or value in a database), starting from the last byte ofthe data, fragmenting that data into N pieces (where N is an integerlarger than 1, and in many commercially relevant cases larger than 5 or10, and in some cases can be relative to the size of the initial data),and placing each piece on a physically (or virtually) separateblockchain-backed storage data structures, with each piece containingpointers to the next storage location of the fragmented data. In someembodiments, the arbiter (or other middleware) then returns the TXID (orother node identifier) of the last written fragment (the first byte) tothe application which requested the fragmenting of the data.

When an application or resource requests the reassembly of fragmenteddata, an arbiter (or other piece of middleware) is supplied with theTXID (or other node identifier) of the first byte of the data, in someembodiments. After reading the first byte, in some embodiments, thearbiter or middleware then reads the subsequent pointers until a nullcharacter or end of sequence character is read. Once all of the pieceshave been read into memory, the arbiter or middleware respond to theapplication with the resultant unfragmented datum.

In some embodiments, other data structures, such as files or databasescan be used to store the fragments. Additionally, some embodimentspre-process the data and count the number of pieces that are requiredfrom the beginning before fragmenting the data.

An additional enhancement in some embodiments is the fragmenting of thedata into tree-like structures instead of list-like structures, which,during read operations, are expected to accommodate concurrency andreduce operation time.

In some embodiments, when reading or writing scattered data, theexecution operation along with other meta-meta data such as usercredentials may be written to an ‘auxiliary’ chain for the purposes ofauditing access to scattered data.

Advantageously, the blockchain data structures may impede or preventmodification of the stored data fragments. Further, some embodiments maystore the data with some redundancy across fragments, e.g., with Hammingcodes or Turbo codes, such that even if one blockchain is compromised,fragments from other changes would be inconsistent with modified dataand signal the compromise. Fragmenting the data is expected tofacilitation concurrent data validation on the different chains, therebyexpediting read operations in some embodiments. Further, fragmenting thedata is expected to make the data more robust to attacks on individualpeer machines, as even if a peer machine is compromised, only arelatively small fragment is at risk. That said, not all embodimentsprovide these benefits, as multiple independently useful inventions aredescribed, and various engineering and cost tradeoffs may result inperformance advantages in one aspect being deployed to improve anotheraspect, e.g., using faster algorithms to accommodate slower, cheaperhardware.

To implement these techniques and others, some embodiments may execute aprocess 100 shown in FIG. 4 to fragment documents and distribute thefragments across multiple storage compute nodes 26 having multiple,different directed acyclic graphs, in some cases with each of thosedirected acyclic graphs being replicated on multiple storage computenodes. In some embodiments, the data being stored may be individualvalues and individual fields having individual portions of records of adatabase, such as a value at a given row and column position in a giventable. In some cases, the data being stored as a unit may includemetadata, like a primary key, table identifier, database identifier, andtenant identifier. In some embodiments, the data being stored may be adocument like those described above that is larger than an individualvalue.

In some embodiments, the process 100 may include receiving a writerequest to write values to a database, as indicated by block 102. Insome embodiments, this operation may be performed by the security driver30 described above. In some embodiments, the write request may be arequest to write a value with a structured query language statement tothe low-trust database 14, or a request to write to a file in a filesystem. Or in some cases, the values subject to subsequent operationsmay be values already stored in a lower-trust database 14 or filesystem, for example, values processed during an installation process bywhich a lower-trust database 14 is secured by moving data into thesecure distributed storage 16 described above.

Next, some embodiments may classify values as higher or lower security,as indicated by block 104. For example, a write request may specify thata given record is to be added to a new row in a table, and that recordmay specify a tuple in which values are assigned to each of severalfields, each corresponding to different columns in the table. In somecases, some of those fields may be lower-security, while other fieldsmay be higher-security. In some embodiments, the security driver 30 mayinclude a table that maps table/field combinations to securitydesignations, for example, binary values indicating whether the valuesare lower or higher security values. Or some embodiments may use theother types of data security policies described below. For example, aSocial Security number field may be a higher-security value, while ausername in a public-facing account may be a lower-security value. Inanother example, credit card information like a credit card number maybe a higher-security value, while a ZIP Code in a mailing address may bea lower-security value.

Next, some embodiments may cause the database to store thelower-security values, as indicated by block 106. In some cases, thisoperation may include modifying a SQL statement or other databasecommand received by the security driver 30 from the application 28 andproviding the modified command to the database driver 32. For example,some embodiments may modify portions of the received command that wouldotherwise specify that the higher-security values are to be written tothe lower-trust database 14. In some cases, the modification takes theform of modifying the values themselves rather than reserved terms inthe command, such that modified values are written to the lower-trustdatabase 14 in the positions that the corresponding higher-securityvalues were going to otherwise be written by the application 28 (therebymaintaining relationships stored in the database). Or pointers may bewritten to directories in a file system in place of files or otherdocuments. For example, some embodiments may cause node identifiers orother pointers to nodes to be written, for example, identifiers ofsegments of the data to be written that are formed in operationsdescribed below, like a first segment.

Next, some embodiments may determine whether there are morehigher-security values that were identified to process, as indicated byblock 108. In some cases, some embodiments may iterate through each ofthe higher-security values, or process some or all of thehigher-security values concurrently, and operation 108 may determinewhether the full set has been processed. Upon determining that all ofthe higher-security values that were classified have been processed,some embodiments may return to block 102 and wait for a next writerequest. Alternatively, some embodiments may select a next value that ishigher security, as indicated by block 110, for subsequent operations.

Next, some embodiments may segment the current value into a plurality ofsegments, as indicated by block 112. As noted above, the current valuein some cases may be an individual value for an individual field of anindividual row of a database, or in some cases the value may includeadditional information, such as an entire row, or a value thatassociates a value in the database with a table and primary key for thatrow. Or in some cases, the value may be a document like that describedabove that may include additional data.

Next, some embodiments may segment the current value into a plurality ofsegments, as indicated by block 112. In some cases, the value may besegmented by character position in the sequence or byte position in asequence of bytes, for example, segmenting each sequential byte in aserialized representation of the value or each sequential four bytes. Insome embodiments, segmenting may include segmenting with the entropycoding techniques described above. For example, some embodiments maysegment according to a dictionary coding in an entropy coding of thevalue, for example, with each dictionary entry corresponding to adifferent segment. In another example, segmenting may include anoperation that breaks up the value into multiple segments that eachcontain nonconsecutive portions of the value, for example, placing everyfifth byte into a first segment starting with a first byte, placingevery fifth byte in a second segment starting with a second byte,placing every fifth byte in a third segment starting with a third byte,and so on. In some embodiments, values may be segmented into a specifiednumber of segments, for example, dividing the value into fourths, suchthat one fourth of the bytes by which the value is encoded go into afirst segment, one fourth into a second segment, one fourth into a thirdsegment, and one fourth into the fourth segment.

In some embodiments, values may be segmented with techniques fromnetwork coding (e.g., linear network coding) such that resultingsegments are combined in a bit-wise operation to reconstruct the value.For instance, a given value 64 bytes long may be segmented into two 64byte segments that when combined in a bit-wise XOR operation produce theoriginal value. In some embodiments, some of the segments may containredundant information relative to other segments. For example, someembodiments may encode data before segmenting or during segmenting withHamming codes or Turbo codes, such that if two of three consecutivesegments are available, the information and the other segment can bere-created, or such coding may be applied with less redundantinformation such that errors in one segment render that segmentinconsistent with the redundant information in an adjacent consecutivesegment. In some embodiments, the segments may be represented as asequence or in some cases, the segments may be represented in other datastructures. For example in some cases, the segments may be representedas a collection of paths through a prefix tree.

Next, some embodiments may cause the database, such as the lower-trustdatabase 14, to store a pointer to a first segment, as indicated byblock 114. In some cases, this operation may further include causing arecord to be added to an index maintained by the translator 20 thatassociates that pointer, which may be a unique segment identifier, whichin some cases may be an identifier of an individual node in a datastructure like that directed acyclic graphs 70 described above, or anindividual attribute of a node in that data structure, with an addressof the directed acyclic graph. In some cases, the association may bewith a plurality of addresses each corresponding to a differentreplicated instance of the directed acyclic graph, such as a pluralityof different uniform resource identifiers that are mapped by the DNS 18to Internet protocol addresses and port numbers of the correspondingstorage compute nodes 26 storing those different instances of thedirected acyclic graph and in some cases performing the above-describedoperations by which nodes are formed and data is verified. In someembodiments, causing the database to store a pointer to the firstsegment may include performing the above-described operations by which awrite command received from the application 28 is modified to replacethe higher higher-security values with the pointers before providingthat command to the database driver 32.

Some embodiments may iterate through each of the segments, causing eachof the segments to be stored and determining in each iteration whetherthere are more segments to process, as indicated by block 116. Upondetermining that there are more segments for a given value to beprocessed, some embodiments may select a next segment, as indicated byblock 118. Some embodiments may then select a computing device, such asa computing device executing one of the above-described storage computenodes 26, to store the current segment, as indicated by block 120. Insome cases, a list of the storage compute nodes 26 may be maintained ina circular linked list, and some embodiments may maintain a pointer thatis advanced with each storage operation, causing the pointer to cyclethrough the list, and using the pointed-to storage node to store thecurrent segment. Or some embodiments may select storage compute nodes26, for example, with a random number or with a pseudorandom valuegenerator, such as a linear shift register. In some embodiments, storagecompute nodes to store a given segment may be selected based on a uniqueidentifier assigned to the segment. In some embodiments, the uniqueidentifier may be a hash value based on content of the segment, and aprefix or suffix of the hash may uniquely identify one of the storagecompute nodes 26. In some embodiments, such a prefix or suffix mayuniquely identify a directed acyclic graph 70, which may be replicatedon multiple stores compute nodes. In some embodiments, the content ofthe segment itself may be hashed, and a prefix or suffix may specify oneof the above-describe storage compute nodes 26 or an instance of adirected acyclic graph that may be replicated on multiple stores computenodes 26. For example, 64 different directed acyclic graphs may bemaintained, each replicated three times, and a trailing six digits of abinary representation of a hash of the content of the segment mayspecify a value that ranges between zero and 63, and that value mayserve as an identifier of one of the directed acyclic graphs to whichthat segment is to be stored. In some embodiments, selecting a directedacyclic graph may cause one or more, such as three, computing devices tobe selected, those being the computing devices that store and maintainthe corresponding directed acyclic graph.

Next, some embodiments may instruct the selected computing device tostore the segment in memory in association with a pointer to a previoussegment, as indicated by block 122 (except for a first-segment, whichmay not have a pointer to a previous segment). In some embodiments, thismay include the above-described translator 20 sending instruction toeach of an odd numbered set of storage compute nodes 26 replicating oneof the directed acyclic graphs 70 to form a node in which the segmentcontent and the pointer serve as one or more attributes of that node,such as one of the above-described leaf nodes 88 through 94. In someembodiments, forming this node may further include forming cryptographichash pointers to that node through the above-described types of datastructures by which different directed acyclic graphs may be formed, forexample, through higher levels of a hierarchy in a binary tree, in somecases adding additional blocks to a linked list of blocks, each blockhaving a different binary tree and link to previous blocks according tocryptographic hash pointers like described above.

Next, some embodiments may return to determine whether there are moresegments in association with the current value. Upon determining thatthere are no more segments, some embodiments may return to block 108 anddetermine whether there are more higher-security values to process. Insome embodiments, multiple values may be processed concurrently. In someembodiments, values may be segmented from front-to-back or vice versa.

FIG. 5 shows an example of a resulting data structure 130 in which aplurality of segments are stored in different directed acyclic graphs132, 134, and 136, which in some cases may each have the features of thedirected acyclic graphs described with reference to FIG. 3 . In someembodiments, the segments of a given value may be stored in a contentgraph overlaid on each of these directed acyclic graphs 132, 134, and136, which may be characterized as a verification graphs to distinguishan overlaid content graph (and as they serve as an immutabletamper-evident log of the values of the segments in some embodiments).

In this example, the segments in the content graph 138 form a linkedlist, with a first node of the segment content graph 138 being stored ina leaf node 139 of verification graph 132, that first segment beingdesignated as node 140 in the content graph. The node 140 in the contentgraph may be stored as an attribute in node content in the node 138 ofthe verification graph, and the content node 140 may include a pointer142 to a next node in the content graph 138, which may be stored on adifferent verification graph 134. In some cases, the pointer 142 may becharacterized as an edge in the content graph 138 and may be expressedas an identifier of a node 143 in the verification graph 134 or in somecases as an identifier of an attribute in that node where multiplesegments are stored in different attributes of a given node of averification graph. In some embodiments, in the content graph 138, node140 points to another segment 144, which may then the point to anothersegment with pointer 146 in verification node 147 of verification graph136. Verification node 147 may include as node content one or moreattributes that specify a final segment in content graph 138 designatedwith element number 148. In some cases, node 148 may specify that thereare no additional nodes in the value.

As a result, even if a given malicious actor somehow compromises one ofthe verification graphs 132, 134, or 136, that attacker will only beable to access a set of segments of values and will not have access toother segments needed to complete the full value stored in thedistributed storage 16. Further, because the segments are stored in atamper-evident directed acyclic graph with the above-described hashpoint cryptographic hash pointers, evidence of tampering will not becomputationally feasible to conceal.

Thus, FIG. 5 shows a plurality of verification directed acyclic graphs132, 134, and 136, each of which may be replicated, and each of whichhas nodes that may store as node content data that encodes a contentgraph 138, which in this case is a linked list of segments, where eachsegment in sequence points to the next segment and its correspondingaddress, and in some cases attribute identifier in the underlyingverification graphs.

In this example, segments are arranged in a one-dimensional linked list,but embodiments are consistent with other arrangements of contentgraphs. For example, some segments may include pointers to multiplesubsequent segments, for example, in a skip list to facilitateconcurrent retrieval, and in some cases segments may be stored inassociation with a segment position identifier, for example, an order inwhich the segments are to be sequenced to reconstitute the segmentedvalue by the translator 20 in a read operation. In another example,segments in a content graph encoding a plurality of segments of anindividual value may be stored in a binary tree content graph, a skiplist content graph, or a combination of binary trees, linked lists, skiplists, and the like.

Three segments for a given value are shown, but embodiments are expectedto include substantially more in some cases. In some cases, binary dataencoding a single text character may be segmented, for example with agiven Unicode character being segmented into two or more segments, and agiven value yielding 10 or more or 20 or more segments, which in somecases may each be stored in different distributed acyclic graphs, whichin some cases may each be replicated multiple times, for example 3 ormore times. Thus, a given value may be stored in part on 30 differentstorage compute nodes 26. In some cases, different instances may becompared to determine an authoritative copy, e.g., selecting a storedand returned value according to a majority rule approach among thereplicated instances. In some cases, e.g., where the replicatedinstances of the graphs are on permissioned computing devices,embodiments may vote for a given value without performing a proof ofwork or proof of storage operation, or where devices storing the graphsare untrusted, some embodiments may determine consensus with a proof ofwork, storage, or stake, e.g., according to a consensus protocol, likePaxos, Raft, or the like. In some embodiments, e.g., in untrustedsystems, instances may be addressed according to Interplanetary FileSystem (IPFS) or with various distributed hash table approaches.

In the example of FIG. 5 , each of the directed acyclic graphs 132, 134,and 136 is the same type of directed acyclic graph, in this case alinked list of binary trees, where edges are formed by cryptographichash pointers. In other embodiments, a heterogeneous set of directedacyclic graphs may be combined, for example with different segmentsstored in different types of graphs. For example, an initial segment maybe stored in a binary tree, while other segments may be stored indirected acyclic graphs like those shown in FIG. 5 , for example, inlinked lists of binary trees.

FIG. 6 shows an example of a process 150 by which data may be retrievedfrom the data structure 130 of FIG. 5 or other data structures writtento with the process of FIG. 4 . In some embodiments, the process 150includes detecting an application querying a database, as indicated byblock 152. In some cases, this includes executing the security driver 30shown in FIG. 1D and receiving a read request sent to the databasedriver 32 by the application 28 in FIG. 1 . Some embodiments furtherinclude receiving a query response from the database, as indicated byblock 154. In some embodiments, receiving the query response may occurafter the database driver 32 in FIG. 1D sends a query to the lower-trustdatabase 14, which may return a query response, for example, a responseto a SQL statement selecting certain records that satisfy certaincriteria. Or the response may be a document accessed in a file system.In some embodiments, the query response may be received by the databasedriver 32, which may then send the query response to the application 28.This response may be intercepted by the security driver 30 and modifiedby the security driver 30 before it is provided to the application 28.In some embodiments, the security driver 30 may detect pointers tosegments stored in the process of FIG. 4 , for example, in a datastructure of FIG. 5 , and send those pointers to the translator 22 betranslated back into the values that were sent to the data structure inthe suit secure distributed storage 16, for example in a plurality ofsegments. Thus, a given query response may include a lower-securityportion of the query response corresponding to values in fields that, inthe process of FIG. 4 , are not classified as higher-security values,and higher-security values that are classified as such in the process ofFIG. 4 , or at least pointers to those values in the secure distributedstorage 16. In some embodiments, these pointers may be detected with aregular expression configured to detect a prefix or suffix labeling thepointers as such, for example, with a sequence of reserved characters.

Thus, some embodiments may include an operation of determining whetherany pointers formed in the process of FIG. 4 are present, as indicatedby block 156, in the received query response. Upon determining that atleast some pointers are present, some embodiments may determine whetherthere are more pointers to process in the query response, as indicatedby block 158. Some embodiments may iteratively or concurrently processeach of the pointers present in the query response from the lower-trustdatabase 14 to replace those pointers with corresponding value stored inthe secure distributed storage 16, for example, in the data structure ofFIG. 5 with the process of FIG. 4 .

Upon determining that there are more pointers to process, someembodiments may select a next pointer, as indicated by block 160, andretrieve a segment and associated pointer if and associated pointer isstored in association with that segment, as indicated by block 162.Segments may be retrieved in reverse order or vice versa relative to theorder in the value that is segmented, depending on how the content graphis structured, e.g., based on the order in which the segments arewritten. In some embodiments, retrieving the segments and associatedpointers may include causing the translator 20 to access an index thatassociates pointers, for example, segment identifiers, with one or moreURLs of one or more computing devices storing a replicated instance ofone of the directed acyclic graphs 132, 134, or 136 storing the segmentto which the pointer points. In some embodiments, the index may furtheridentify, in association with the pointer, a node identifier, forexample, a block and path through a binary tree, to a specific nodestoring as node content in an attribute of that node the segment atissue and an associated pointer of present, for example if it is not thelast segment to be retrieved. In some embodiments, the translator 20 mayaccess the DNS 18 to identify an Internet Protocol address and portnumber of the secure compute node 26 maintaining the identified directedacyclic graph, or each secure storage compute node 26 storing one of areplicated instance of that directed acyclic graph. Some embodiments ofthe translator 20 may send a request to those storage compute nodes toreturn the identified segment, and the receiving storage compute nodes26 may traverse the edges specified by the cryptographic hash pointersin the corresponding directed acyclic graph along a path specified bythe request to the specified node storing the segment. Or someembodiments may navigate directly to the segment, for example, based ona node identifier that identifies an address in memory of the segmentwithout requiring traversal. In some embodiments, to expedite access,locations of nodes in memory may be stored in a binary treecorresponding to note identifier, or in a sorted list, to facilitaterelatively fast access to content of nodes.

In some embodiments, the storage compute node 26 or set of storagecompute nodes 26 replicating the directed acyclic graph, may return thespecified segment to the translator 20. In some embodiments, thetranslator 20 may receive multiple instances of the requested segment,and some embodiments may determine whether each of the segments matchone another or determine a content of the segment based on a contentreturned by a plurality or majority of the responses, thereby preventinga modification of one of the instances from affecting the authoritativecontent of the segment determined by the system. That said, not allembodiments provide this benefit, which is not to suggest that any otherfeature described herein is limiting.

Some embodiments may maintain in memory a partially or fully formedencoding of the value to which the segments belong, and some embodimentsmay concatenate the retrieved segment to a sequence of segmentsaccumulated in this value, as indicated by block 164. For example, someembodiments may prepend or append each successive retrieved segment tothis sequence of segments. Or in some big cases, the segments may comebe combined with other techniques. For example, some embodiments maycombine the segments by XOR'ing the segments to re-create the value. Theterm “concatenate” is used broadly herein to refer to each of thesedifferent operations by which information in different segments iscombined to produce the value from which the segments were taken. Insome embodiments, segments may be retrieved out of order, for example,with segments labeled with a value indicating a position in a sequence,and some embodiments may sort the segments according to this value tore-create the value from which the segments were taken.

Next, some embodiments may return to determine whether there are morepointers to process in block 158. Upon determining that there are nomore pointers to process, some embodiments may proceed to form a revisedversion of the query response, as indicated in block 166, in which thepointers are replaced with the higher-security values segmented andstored in the secure distributed storage 16, for example, in the datastructure of FIG. 5 with the process of FIG. 4 . In some embodiments,the replacement operation may be performed by the above-describedtranslator 20 or within the security driver 30. In some embodiments, therevised version of the query response may include the replacement valuesin the same position, in the same formatting as the pointers within thequery response, thereby maintaining associations between differentvalues and metadata in the query response, for example, associations inwhich records are distinguished and associations in which values areindicated as applying to particular fields in those records. In somecases, where no pointers are present, the revised version of the queryresponse may be an unaltered version of the query response, upondetermining that no pointers are present in block 156.

Next, some embodiments may provide the revised version of the queryresponse to the requesting application, as indicated by block 168. Insome cases, the revised version of the query response may be advanced bythe security driver 30 to the application 28 in FIG. 1D according to anapplication program interface of the database driver 32, such that anapplication 28 configured to interface with the database driver 32, butnot designed with the security driver 30 in mind, will transparentlyreceive the query data without needing to be reengineered to interfacewith the secure distributed storage 16.

In some embodiments, the write operations of FIG. 4 or the readoperations of FIG. 6 , or both, may be performed in different portionsof the system of FIG. 1D (or other systems) than those described. Forexample, in some cases, these operations may be performed by a databasemanagement system or a database gateway by which client devicescommunicate with the database. In some embodiments, these operations maybe performed by a dedicated appliance on a network through which clientcomputing devices access a database. In some embodiments, theseoperations may be performed entirely within a single computing device,for example, as part of a monolithic application in which the featuresof the secure distributed storage are operated within a single computingdevice, or on a single device in which the different components executein different containers or virtualized operating systems accessed via aloopback Internet protocol address.

Generation of Hash Values within a Blockchain

As noted above, blockchains generally allow for small bits ofinformation to be stored in an immutable data structure; the moment datain the chain is altered, the chain is broken and generally can no longerfunction. The most common blockchain implementation is the publiclyaccessible Bitcoin ledger (for which blockchains were designed).

However, many extant blockchain systems are not well suited for certainuse cases. Blockchains are typically immutable, and therefore once datais committed to the chain, under most circumstances it is consideredpermanent. This can lead to scalability challenges as the chain can growto be very large with no ability to reduce the size of the chain (noneof which is to suggest that systems with immutable blockchain aredisclaimed for all embodiments or are inconsistent with someimplementations).

These, and other problems, are mitigated by some embodiments of thesystem introduced above referred to below as “Docuchain.” Docuchain, insome embodiments, is a blockchain software suite for low-latency put andget operations of BLOBs. Docuchain, in some embodiments, uses animproved version of a hash function for a blockchain.

Docuchain, in some embodiments, makes use of abstract functions (a termwhich is used generically to also refer to methods and other routines)to define which properties of individual blocks are used in creating theblock hash (sometimes referred to as Merkle root). By variating theproperties that are used to construct this hash, some embodimentsincrease or decrease the ambiguity of the hash output. In someembodiments, a lambda function can be passed in to the constructor ofBlockManager, which receives a block entry as a parameter and returnsthe values to be passed into the hash function, as defined by ‘H’ in theexpression BlockManager<H,T>.

For example, if only the block's data is used in the generation of itsMerkle Root, it would be possible to remove the head of the chainwithout consequence of breaking the chain itself. Alternatively, ifsystems use the data, the position, and potentially even more specificproperties such as read/write times, the chain becomes completelyimmutable and must (in some implementations) stay intact in its entiretyin order to be functional.

Some embodiments add this degree of control by removing the in-chainscripting language component and adding the ability for the hashed valueto be controlled as part of configuration rather than part of sourcecode. In some embodiments, the hash function accepts data that is notcontingent on a block's position within a chain. In some embodiments,the hash function accepts as input only values that can be re-created inanother chain.

In other embodiments, a similar output as a result of this functionalitycould be produced by conducting a sort of refactoring on a chain. Thisoperation may include writing all of the data intended to be kept to anew chain, and then updating all referential TXIDs (or other pointerslike those described above) in any external data stores that exist.

To implement these approaches and others, some embodiments may execute aprocess 170 by which a cryptographic hash function is configured to makeit is feasible to recompose portions of directed acyclic graphs havingedges specified by cryptographic hash pointers formed with thecryptographic hash function, for example, to accommodate directedacyclic graphs that have grown larger than a threshold size and breakthose graphs into smaller portions or spawn new directed acyclic graphsthat link back to those directed acyclic graphs.

In some embodiments, the process 170 may be performed by the storagecompute nodes 26 of FIG. 1D, but is not limited to that implementation,which is not to suggest that any other description herein is limiting.Indeed, the operations of process 170 may be applied to other types ofdirected acyclic graphs having cryptographic hash pointers as edges, forexample, in block chains used for cryptocurrencies and in distributedtamper-evident ledgers used for other purposes.

In some embodiments, the process 170 includes obtaining a tamper-evidentlog, as indicated by block 172. In some embodiments, the tamper-evidentlog is one of the directed acyclic graphs discussed with reference toFIGS. 3 and 5 and may take a variety of different forms. In someembodiments, the tamper-evident log includes a sequence of nodes, orblocks that are collections of nodes, for example, each block being abinary tree of nodes. In some embodiments, the tamper-evident log mayindicate through the topology of a directed acyclic graph a sequencewith which entries in the log are added. In some embodiments, each entrymay be characterized as a node or as a block in the tamper-evident log.

Next, some embodiments may obtain a plurality of records to beprotected, as indicated by block 174. In some cases, the records may bethe segments or documents (which is not to suggest that a documentcannot be a segment) discussed above. In some cases, the records to beprotected may be obtained by the storage compute nodes 26, for example,upon being received from a translator 20 like that described withreference to FIG. 1D.

Some embodiments may iteratively or concurrently process the records anddetermine whether there are more records to process, as indicated byblock 176. Upon determining that there are no more records to process,some embodiments may return to block 174 and wait for additional recordsto process. Upon determining that there are more records to process,some embodiments may proceed to select a next record, as indicated byblock 178, among the unprocessed records.

Some embodiments may then access content of a most-recent entry of thetamper-evident log, as indicated by block 180. In some cases, themost-recent entry may be a last block written to the log or a last nodewithin a component of a block, like a leaf node or higher-level node ina binary tree in a block. In some cases, the accessed content may be oneor more attributes of the most recent entry, such as one or moreattributes of node content. In some embodiments, those attributes mayinclude those like which are described above with reference to nodes inthe directed acyclic graphs described with reference to FIGS. 3 and 5 .

Next, some embodiments may access an abstract cryptographic hashfunction, as indicated by block 182. The term “abstract” refers to aprogramming construct by which the specific implementation of a functionor method is defined by other code than that having a placeholderdesignating the function as abstract (e.g., an object, class,subroutine, or function), and in some cases certain aspects of theabstract function are defined in other code, for example in a classdefinition in an object-oriented programming language, where anon-abstract implementation of the abstract function is defined uponimplementing an object in the class. In another example, the abstractfunction may be specified as abstract by code configured to receive alambda function from a calling body of code or from a body of code thatcalls that is called by the body of code that receives the lambdafunction. In some cases, the implementation may have access to the scopeof the body of code having the reference to the abstract function, e.g.,an instance of an object in an abstract class or a method that receivesthe lambda function as a parameter.

Some embodiments may determine that an abstract cryptographic hashfunction has been accessed, for example, upon detecting the presence ofa reserved term indicating that this type of function or method has beenaccessed.

Some embodiments may then determine an implementation of the abstractcryptographic hash function, as indicated by block 184. In some cases,the implementation may be determined as part of instantiating an objectwithin an abstract class, and in some cases, the implementation may bedetermined by receiving a lambda function defined by calling code orcalled code. In some embodiments, the implementation may specify acryptographic hash algorithm, such as SHA-256 or the other examplesdescribed above, or in some cases the type of cryptographic hashfunction may be specified in the specification of the abstractcryptographic hash function, leaving other aspects of the algorithm tobe configured in the implementation. In some embodiments, theimplementation may specify which inputs are processed by thecryptographic hash function to determine an output, while the abstractrepresentation of the cryptographic hash function may not specify whichinputs are used in the implementation. Thus, a single abstractcryptographic hash function may be implemented a variety of differentways within a given body of code, for example, calling those differentways at different times in different scenarios based on differentcriteria.

In some embodiments, the implementation of the abstract cryptographichash function that is determined in block 184 may specify that certaintypes of inputs are to be used in calculating the cryptographic hashvalue output. In some embodiments, those types of inputs may be selectedamong a subset of attributes in node content accessed in block 180, suchas attributes and node content of an adjacent node of a node that is tobe added to the tamper-evident log. In some embodiments, the types ofinputs may be position-agnostic inputs, such as node attributes that donot indicate a position of the node accessed in block 180 within thetamper-evident log obtained in block 172. For example, the selectedtypes of inputs may exclude timestamps, dates, counter values thatindicate a position in a sequence that is specific to a graph, like anarray index, or the like. In some embodiments, the position-agnosticinputs that are selected may include items like attributes that specifya segments content or document content stored in the most-recent entry.In another example, the attributes of the access node content used asthe position-agnostic input to the implemented cryptographic hashfunction may include a cryptographic hash value of a cryptographic hashpointer to another node that is pointed to by the node accessed in block180, thereby preserving the benefit of chaining cryptographic hashpointers.

In some embodiments, the same implementation of the cryptographic hashfunction may be applied to calculate each cryptographic hash value ineach cryptographic hash pointer of a directed acyclic graph encoding thetamper-evident log obtained in block 172. Or in some cases, differentimplementations may be accessed at different times for differentdirected hash pointers. For example, each directed edge encoded by acryptographic hash pointer may also include a value that identifies theimplementation, for example, a value that indicates whether the edge isspecified with a position-agnostic implementation of the abstractcryptographic hash function or a position-dependent implementation, theposition-implement dependent implementation including as inputs thetypes of values described above as non-position-agnostic, for example,timestamps dates, position indices, and the like. In some embodiments,the position-agnostic implementation may be selected upon determiningthat the tamper-evident log in a given directed-acyclic graph, orportion thereof, has reached a threshold size and that a new directedacyclic graph storing subsequent entries to the tamper-evident log is tobe created, while the other cryptographic hash function implementationsthat are not that are position dependent may be used at other times. Orto simplify the code, the same position-agnostic implementation may beused for each cryptographic hash pointer.

Next, some embodiments may calculate a cryptographic hash value with theimplementation determined in block 184 based on the accessed contentfrom block 180, as indicated by block 186. In some embodiments, theprocess 170 further includes forming content of a new entry to thecamper-evident log that includes the hash value calculated in block 186and the current record selected in block 178, as indicated by block 188.In some cases, forming new content may include modifying an existingentry or creating a new entry. In some embodiments, forming content mayinclude adding values to attributes in the content of the new entry,such as attributes in the above-described nodes in the graphs of FIGS. 3and 5 . In some embodiments, the hash value in the current record may beseparately labeled as distinct attributes in the formed content, or insome cases these values may be combined, for example, with a singlecryptographic hash value based on both the accessed content from block180 and the current record. In some embodiments, the current record maybe stored remotely, while a hash digest, such as a cryptographic hashvalue based on that content may be stored in the tamper-evident logobtained in block 172. Or some embodiments may store the current recordin the log itself to expedite access in accordance with some of thetechniques described above, for example, with reference to FIGS. 2 and 3.

Next, some embodiments may prepend the new entries to the tamper-evidentlog, as indicated by block 190. In some embodiments, this may includeadding a new entry to a sequence of entries, such as to the sequence ofblocks 172, 174, and 176 in a data structure 70 of FIG. 3 . The term“prepend” does not require any particular array index or position insome programming construct, as long as the new entry is designatedimplicitly or explicitly in the tamper-evident log as being newer thanexisting entries in the tamper-evident log or otherwise older-entries.

Some embodiments may then determine whether a size of the log is greaterthan a threshold, as indicated by block 182. In some embodiments, thismay include determining whether the size of the log is greater than orequal to the threshold, a configuration also consistent with thedesignation greater than, which is used generically herein. Upondetermining that a size of the log is not greater than the threshold,some embodiments, may return to determine whether there are more recordsto process in block 176. In some embodiments, the size may be measuredby an amount of blocks, an amount of nodes, or an amount of data storedwithin the directed acyclic graph, for example, measured in megabytes.

Upon determining that a size of the log does exceed the threshold, someembodiments may proceed to split the tamper-evident log into an oldertamper-evident log and a newer tamper-evident log, as indicated by block194. In some embodiments, the split tamper-evident logs may each be ofthe same types of directed acyclic graphs, in some cases with the oldertamper-evident log being larger at the time of the split. In someembodiments, splitting may be performed by determining to not prependthe new entry or the next entry after the new entry to thetamper-evident log and instead instantiating a new directed acyclicgraph to receive a subsequent entry. In some embodiments, the older andnewer tamper-evident logs may each be of the same type (e.g., class oftopologies) and have the attributes of the directed acyclic graphsdescribed with reference to FIGS. 3 and 5 . In some embodiments, thesystem may cease adding new entries to the older tamper-evident log andcontinue adding new entries to the newer tamper-evident log until thatlog exceeds the threshold, in which case some embodiments may then splitthat newer tamper-evident log into a yet newer tamper-evident log,continuing indefinitely to grow the number of tamper-evident logs.

In some embodiments, an initial node or block in those tamper-evidentlogs may include a cryptographic hash pointer to the oldertamper-evident log, for example, a cryptographic hash value based on aroot node of a newest block of a consecutively older tamper-evident log.In some embodiments, this referenced content may be used to generate aseed value like in block 78 of FIG. 3 and may be associated with anidentifier of the older tamper-evident log. In some embodiments, thenewer tamper-evident log may be instantiated on a different storagecompute node 26 in FIG. 1D from that of the older tamper-evident log, orit may be instantiated on the same storage compute node 26.

Thus, some embodiments may reconfigure directed acyclic graphs whilemaintaining provable tamper resistance, thereby accommodatingarbitrarily large data sets.

Transparent Client Application to Arbitrate Data Storage Between Mutableand Immutable Data Repositories

As noted, in many cases, traditional databases are not sufficientlysecure. Many mainstream databases provide some level of permissioning,but oftentimes these permissions are broad and difficult to manage,which leads to the opportunity for attack and misuse. Further, mostwidely adopted databases implement transactional SQL (T-SQL) or asimilar variant. In most implementations, poor design practices andlegacy code can present vulnerabilities such as SQL injection attacks,which trick the database into returning potentially sensitive andunintended data. Additionally, there is very little auditability andpermissioning for individual cells within a table other types ofindividual table values. Moreover, most database management systems relyon a driver that lives on the database client's machine. Oftentimes,these clients are open source and easily available, making exploitationeasier. (None of this is to suggest that some embodiments may not alsobe afflicted with subsets of these problems, as several inventions aredescribed and those inventions can be used independently withoutaddressing every problem described herein.)

To address such concerns, various approaches have been implemented tosecure stored data. Examples include air-gapping the database orcarefully managing permission to access the database. Many approaches,however, are difficult to administer (e.g., using baroque permissionschemas), are slow (e.g., air-gapping), or break backward compatibilitywith expensive enterprise applications that expect a particular databasedriver interface, none of which is to suggest that any of theseapproaches are disclaimed in all embodiments.

Some embodiments mitigate some of the problems described above with aspecialized client application that is able to identify sensitive data(by column type, predefined column name, or other predefined methods).Some embodiments may capture the data as it is being transmitted to thedatabase and route sensitive data to more secure storage mechanisms,like those mentioned above. Thus, more secure, though potentiallyslightly slower, storage techniques may be reserved for the mostsensitive data, while less sensitive data may be processed with fasterand cheaper less secure storage solutions, like traditional relationaldatabases. Further, in some embodiments, the client application mayabstract away from other applications this differential routing andvariation in query formats between systems.

In some embodiments, a subset of more sensitive data may be stored byscattering the data among multiple blockchains, as described above.Similarly, when the client application detects that sensitive data isbeing queried (using the same method), the client application, in someembodiments, may take a TXID (or other pointer) as it is coming from thedatabase, send it to an arbiter instance for reassembly, confirm thatthe request has valid permissioning and if so, place the reassembleddata in place of the TXID.

Because some embodiments intercept the data in the data path, someembodiments are able to produce an additional audit log which shows allattempts to access the data, as described in greater detail below. Insome cases, these access logs can be notated with request-specificinformation such as: username, geolocation, client machine IP address,etc.

Through this approach, it is expected that other applications thatimplement traditional database drivers will require little or no scatteror blockchain-specific configuration. In some cases, the process iscompletely transparent to other legacy applications. Further,permissioning complexity may be relaxed with secure data routed todistinct, immutable, secure data structures, as access to, andmodification of, data may be readily detected.

Certain types of data are expected to be particularly amenable to usewith the present techniques. Often system-access credentials, like usernames and passwords, are particularly sensitive, as entire accounts maybe compromised if such information is subject to unauthorized access.Storing passwords on a local machine or in a database where the entirepassword is accessible in one location provides an easy target forthreat actors looking to manipulate, steal, or otherwise misuseauthentication credentials. Other examples include credit card numbers,social security numbers, or health-related data.

Some embodiments interface with blockchains as a storage data structurewith an arbiter or other piece of middleware that is capable of takingas an input the full text representation of a user credential, startingfrom the last byte of that credential, fragmenting that credential intoN pieces, and placing each piece on a physically (or virtually) separateblockchain backed storage data structure, with each piece containingpointers to the next storage locations of the fragmented credential.When an application or resource requests the reassembly of a fragmentedcredential, in some embodiments, an arbiter or piece of middleware issupplied with the location of the first byte of the credential. Afterreading the first byte, in some embodiments, the arbiter or middlewarethen reads the subsequent pointers until a null character or end ofsequence character is read. Once all of the pieces have been read intomemory, the arbiter or other middleware may respond to the applicationwith the resultant unfragmented credential. Some embodiments maypreprocess the credential and count the number of pieces that arerequired from the beginning before fragmenting the credential. Someembodiments may require that credentials yield a threshold number offragments. Some embodiments may salt fragments or credentials beforefragmentation to defeat or impair rainbow table attacks.

These and other techniques may be implemented with a process in FIG. 8 ,which shows an example of a process 200 that may be executed by a clientcomputing device to transparently retrofit an existing workloadapplication to interface with a heterogeneous mix of databases and, inparticular, with a combination of databases that includes ahigher-security database than that which the application is configuredto interface with as originally written, such as databases like thosedescribed above. It should be emphasized, though, that the presenttechniques are not limited to embodiments drawing upon the above-typesof more secure databases and, and some cases, may be used in conjunctionwith other types of databases, such as another relational database orother type of datastore, such as one that is deemed to behigher-security or lower latency than that which the applicationaccessing data is configured to interface with. In some embodiments, theprocess 200 may be executed by the above-describe security driver 30,though it should be noted that in some cases, some or all of thefunctionality may be executed in the translator 20 in a databasegateway, in a database management system, or in some other computingdevice.

Executing the process 200 in a client computing device, before dataleaves the client computing device, or upon data arriving into theclient computing device, is expected to yield certain security benefitsin some use cases, where for example, the database that the workloadapplication executing on the client computing device is configured toaccess has been compromised. In such scenarios, it is likely that anadversary may have compromised other computing devices on a network, andmerging or splitting data at the client computing device, immediatelybefore or after writing or reading respectively, is expected to reducethe attack surface of a network. That said, embodiments are not limitedto systems providing these benefits, and in some cases, these operationsmay be performed in another computing device believed to be relativelysecure on a network, which is not to suggest that any other featuredescribed herein is limiting.

In some embodiments, the process 200 may be made transparent to aworkload application executing on a client computing device, such as aservice on one host of a plurality of hosts executing different servicesin a micro-services architecture, or an application executing as amonolithic application on a single computing device. In someembodiments, the process 200 may be made transparent to that applicationby registering the process in the operating system of the clientcomputing device to appear to be the database driver that the workloadapplication is configured to access and then wrapping an applicationprogram interface of the original database driver with the operationsdescribed below. Thus, some embodiments may be responsive to the sameset of application program interface requests that a database driver isresponsive to, while providing additional functionality. Further, someembodiments may then pass modified or unmodified application programinterface exchanges between the workload application and the databasedriver. In many cases, source code of the workload application isunavailable or is expensive to modify. Thus, retrofitting existingworkload applications in a manner that does not require changes to codeof that application is expected to be particularly desirable. That said,the present techniques are also applicable in use cases in which thesource code is available for the workload application and is modified toimplement the present techniques, which again is not to suggest that anyother description is limiting.

In some embodiments, the process 200 includes registering a securitydriver that wraps a database driver, as indicated by block 202. In someembodiments, the security driver may be registered in an operatingsystem in which a workload application (e.g., application 28 above)making database access request described in subsequent operations ofprocess 200 is executed, and this operating system may also be anenvironment in which a database driver (e.g., driver 34 above) describedbelow operates. In some embodiments, as a result of the registrationoperation, when an application sends an application program interfacerequest to the database driver, that request may be received by thesecurity driver instead, and the security driver may be configured tothen communicate with the database driver as an intermediary between thedatabase driver and the application within a single operating system ona client computing device.

In some embodiments, other types of access may be handled in a similarfashion. For instance, some embodiments may wrap a filesystem driver toobtain exchanges between filesystem drivers and workload applications,e.g., operating on documents. In some cases, a file system filter drivermay be instantiated that emits events indicative of application programinterface exchanges with the filesystem driver and some embodiments mayclassify these events as pertaining to higher-security documents (ornot) and, in some cases, modify the driver behavior in response, e.g.,substituting a document stored in the secure distributed storage 16 foran access request that pertains to, e.g., a locally stored text filewith a pointer to such a document.

Some embodiments may then include receiving a first write request, asindicated by block 204. In some cases, this operation may be performedsometime after registering the security driver and may occur withrelative frequency. In some embodiments, the write request is like thosedescribed above. In some embodiments, the write request is anapplication program interface request to the database driver from theworkload application executing on the computing device. In someembodiments, the request may be to a first remote database, such as thelower-trust database 14 described above or some other data store. Insome embodiments, the first write request may specify that a set ofvalues are to be written to a set of fields in a set of records in adatabase, which may include adding new values to new fields to newrecords or modifying existing data. The first write request may beformatted in a schema specified by an application program interface ofthe database driver and may be operative to cause the database driver torespond regardless of whether the registration step of block 202 hasoccurred, though the application may then proceed to operate in a lesssecure fashion in some cases as a result of omitting operations from thesecurity driver.

Next, some embodiments may obtain a data policy, as indicated by block206. In some cases, the security driver 30 may maintain in memory a setof one or more policies that each include a set of rules, such as apolicy for each application or each lower-trust database 14.

Some embodiments may include classifying values to be written ashigher-security values or lower-security values, as indicated by block208. In some cases, this operation may include selecting one or morerules from one or more data policies, for example, based on anapplication writing data, a lower-trust database receiving the data orintended to receive the data, or other criteria. Some embodiments mayinclude applying one or more of the above-described rules to each valuein the write request to classify that value as higher-security orlower-security.

In some embodiments, the rules may each include one or more criteria bywhich data being written to a database is classified as lower-securitydata or higher-security data. In some cases, these rules may includerules that designate certain types of fields as lower-security orhigher-security, such as text fields versus integer fields, or fieldswithin a specified pattern. In some embodiments, the criteria mayexplicitly list higher-security fields and lower-security fields, anddata may be classified as higher-security or lower-security in virtue ofa write request attempting to place data into these fields. In someembodiments, the criteria may apply a regular expression to a fieldidentifier, such as a field name to determine whether values within thatfield are higher-security or lower-security. In some embodiments, therules may apply to the content of values being written, such that somevalues in a given field may be higher-security, while other valueswithin that given field may be lower-security. For example, somecriteria may include a regular expression that pattern matches againstthe content of values to determine whether those values arehigher-security or lower-security, for instance, designating values thathave a format consistent with a phone number, credit card number, orSocial Security number, regardless of the field in which they belong, ashigher security.

Next, some embodiments may store the lower-security values in the firstremote database, as indicated by block 210. In some cases, the firstremote database may be the database that the workload application isconfigured to interface with when initially installed or off the shelf.Thus, the workload application may be configured to interface with thefirst remote data face without retrofitting. In some cases, this mayinclude writing values to the lower-trust database 14, for instance,consistent with the operations described above with reference to block106 of FIG. 4 .

Some embodiments may then store the higher-security values in a secondremote database, as indicated by block 212. In some cases, the secondremote database may be one of the above-described higher-securitydatabases, such as those hosted within the secure distributed storage 16of FIG. 1D, implementing the data structures of FIGS. 3 and 5 . Or insome cases, the secure second remote database may be another relationaldatabase or other type of database, for instance, one implementingadditional security features relative to the first remote database orsimply being isolated from the first remote database. In some cases,storing the higher-security values may include the operations describedabove with reference to FIGS. 2 and 4 .

Next, some embodiments of the security driver may cause pointers to bestored, for example, storing pointers to the higher-security values inthe first remote database, as indicated by block 214. For example, thismay include modifying the application program interface request from theworkload application to the database driver to replace higher-securityvalues with node identifiers, segment identifiers, document identifiers,or other types of identifiers like those described above, beforeadvancing the modified application program interface request to thedatabase driver. In some cases, the database driver may then translatethe application program interface request into commands and a datastream appropriate to cause the first remote database to store thepointers that identify where the corresponding values are stored in thesecond remote database.

Next, embodiments may later read data back. In some cases, this mayinclude receiving a query and then receiving a query response with thepointers included in the query response, as indicated by block 216. Insome embodiments, the query itself may be modified, for example, where acriterion in the query depends upon the content of higher-securityvalues. For example, some embodiments may select all values with amodified query; then within the security driver or the translatordescribed above, replace pointers with the corresponding valuesretrieved from the second remote database; and then apply criteria ofthe original query to those values to determine which values areresponsive to the query issued by the workload application.

In some cases, a single query from a workload application may spawn acascade of iterative, subsequent queries, for example, where joinoperations are performed, and in which data is merged from the first andsecond remote databases to determine intermediate query responses. Forexample, a workload application may request mailing addresses of allusers with a credit card number that begins with the specified sequence,and the mailing addresses and credit card numbers may be maintained indifferent tables, with the credit card numbers designated ashigher-security values, and the mailing addresses designated aslower-security values. In some cases, these two different tables may belinked by a primary key in one table that is referenced as a foreign keyin another table, and a query from a workload application may specify ajoin. Some embodiments may retrieve, for example, every record in thefirst database having pointers to values in the second database thatreflect the credit card numbers, merge those values, determine whichforeign keys in the table having mailing addresses are responsive to thequery criteria, and then issue a subsequent query to the first remotedatabase for those records. In some cases, to expedite these operations,an index may be maintained in which the pointers are associated withvalues that indicate whether the values are responsive to certaincriteria (e.g., a threshold number of prefix characters or suffixcharacters), and embodiments may access this index to identify a subsetof pointers for which values are retrieved from the secure datastore.

Some embodiments may interface with databases with the techniquesdescribed in U.S. Provisional Patent Application 62/527,330, titledREPLACING DISTINCT DATA IN A RELATIONAL DATABASE WITH A DISTINCTREFERENCE TO THAT DATA AND DISTINCT DE-REFERENCING OF DATABASE DATA(docket no. 043788-0453422), filed 30 Jun. 2017, the contents of whichare hereby incorporated by reference.

In some embodiments, these operations may be expedited by assigningpointers or other types of unique identifiers that are based on thecontent of the values to which the pointers point, for example, based oncryptographic hash values based solely on the content of the values towhich the pointers point. As a result, different instances, of the samevalue, for example, in different rows or other tuples of a database maycorrespond to the same pointer. These pointers may be said to be uniqueidentifiers in the sense that they uniquely identify content, in somecases without revealing the semantic information in that content, forinstance, with the cryptographic hash identifier, while still having thesame unique identifier replicated for multiple instances of that valueappearing at multiple rows and a database, for example.

In some cases, values may be cryptographically hashed in conjunctionwith a tenant identifier (e.g., by concatenating the values with adelimiter before inputting to a hash function), such as a random stringof a certain amount of entropy, like longer than 64 bytes, so that thesame value for a given tenant consistently hashes to the same pointer,while the same value for different tenants hash to different pointers.Or in some cases, the unique identifiers may be unique between instancesas well. Thus, the same value appearing in two different rows may have adifferent unique identifier in each instance, though some embodimentsmay operate more slowly as a result. In some embodiments, the securitydriver may detect duplicate instances of a pointer when reading backdata, and cause a single request from the second remote database for asingle value to populate each of these positions held by the differentinstances of the same pointer. Thus, fields with a relatively lowcardinality may still facilitate relatively fast joints even when thosefields are designated as relatively high security, and a relativelysmall number of values may populate a relatively large number of rows.

Similar operations may be performed when writing, for example, bygrouping data classified as high security according to the value, forexample, by sorting the data and then detecting groups of instances inwhich the values are the same, or storing the data in a hash table anddetecting duplicates with hash collisions where the same values arewritten to the same index of the hash table. In these examples, someembodiments may then assign the same unique identifier to each instancein the group where this value is the same, and cause that uniqueidentifier, which may serve as a pointer, to be stored in place of thosehigher-security values in the first remote database.

Upon replacing pointers with the values from the second remote database,as indicated in block 218, some embodiments may provide a modified queryresponse to the querying application, as indicated by block 220. In someembodiments, the querying application may be a different workloadapplication from that which wrote the data, and in some cases, may be ona different computing device. In some cases, data be read multiple timesfor a given write, or data may be written multiple times before a mostrecent version of the value is read.

Immutable Logging of Access Requests to Distributed File Systems

It is becoming increasingly common to use third party off-site datastorage platforms (e.g., Dropbox™ or Google Drive™) as well as on-siteplatforms (e.g., SharePoint™, Confluence™, OwnCloud™, etc.), but inthese systems, auditing changes to these files becomes a difficult andoften impractical task. In some cases, files are stored in largecontiguous chunks that pose easy access for threat-actors, and in manycases, changes to the data do not yield a reliable record by which suchchanges may be detected. For instance, upon penetrating such a system,and making a change, a threat actor may also doctor log records or otherrecords by which a change would otherwise be detectable. (Again, none ofwhich is to suggest that such approaches are disclaimed.)

As noted above, traditional databases do not adequately protect againstthreat actors or internal resources (employees, information-technologystaff, etc.) tampering the data. To the extent such systems have auditlogs, those logs are often only as secure as the data for which accessis logged, meaning that if the data is compromised, often so is theaudit log. Some products offer “secure storage” through the use ofpassword protected folders or data storage areas, however such productsgenerally do not provide immutable and distributed properties andoften-times their audit logs can be modified, particularly by employeeswith elevated-access credentials.

As noted above, by scattering (e.g., breaking up into segments anddistributing) files into one or more blockchains, some embodiments areable to provide immutable and distributed properties to files. Further,since the files are distributed, in some embodiments, there is anapplication that reassembles the files. By making that reassemblyprocess necessary, some embodiments form a control point by which theembodiment is able to produce a blockchain-backed audit trail of everyaccess to the files (or database values or log entries) stored usingthis method.

As noted above, in some embodiments, data access is implemented in anapplication (e.g., a client-side application) that is capable oflistening to events generated by an operating system's filesystem,reading in the changes that caused the notification and reporting themto an application referred to as “an arbiter” instance for scatteringand storage in blockchains. In some embodiments, the scatter operation'sresultant TXID is what is stored in place of the actual data on theclient's filesystem, or similar approaches like those described abovemay be implemented with the security driver above.

When a read operation is requested by the filesystem, in someembodiments, the stored TXID (or other pointer) is sent to an arbiterinstance for reassembly, loaded in place and then that file's defaultapplication handler is opened with that file (e.g., in some cases, a PDFfile would generally be opened with Adobe Reader™). If the user does notdesire to have a filesystem reader placed on an entire filesystem orsubset of a filesystem (a directory), in some embodiments, a user couldscatter a file by accessing a context menu and directing the file to beplaced in ScatterFS.

Finally, in some embodiments, an application program interface (API) maybe exposed so that any third party application can pass a file-handle,buffer or other data-stream for scattering and storage.

Thus, some embodiments may distribute data among multiple computingdevices, in some cases in a peer-to-peer network hosting an immutabledistributed data structure, like a blockchain, and those embodiments maylog and store access records in another (or the same) blockchain,thereby monitoring a necessary control point to access the data andcreating an immutable record of such access attempts. It should beappreciated that the present techniques are not limited toblockchain-based distributed databases, and similar techniques arecontemplated for other distributed file systems, e.g., Network FileSystem, Self-certifying File System, Server Message Block, MapR FS,Amazon S3, and Starfish distributed file systems.

In some embodiments, logging and log analysis may be implemented with aprocess 230 shown in FIG. 9 . In some embodiments, the process 230 maybe executed at least in part by a system implementing one or more of theabove-described techniques. In some embodiments, logging may beimplemented on a computing device that serves as a chokepoint in theaggregation or disaggregation of information being stored into or readfrom a distributed data store like that described above or other typesof distributed data stores. In some embodiments, the information may bedistributed in such a way that each unit of content requires informationfrom different computing devices to be accessed (e.g., in virtue ofsegmenting or separation of encryption keys from cyphertexts), and thatinformation from different computing devices may be aggregated by acomputing device that causes logging in a tamper-evident log. Similarly,write operations may be logged by a computing device that causes theinformation to be broken up and distributed among the differentcomputing devices (e.g. with segmenting or separation of cyphertextsfrom encryption keys, or combinations thereof). Thus, in some cases,logging occurs during each access operation in virtue of logging beingeffectuated by a computing device necessary to read or write informationthat is otherwise inaccessible unless the information passes throughthat computing device that causes logging. In some embodiments, theinformation may be logged in a tamper-evident, immutable log like thatdescribed above, in some cases in the same data structures that storethe information being accessed, such as workload content like databaseentries and various types of documents in a file system. In some cases,logging may be effectuated, for example, caused by the above-describedtranslator 20 of FIG. 1D, but embodiments are not limited to thatimplementation, which is not to suggest that any other description islimiting.

In some embodiments, the process 230 includes receiving a request toaccess a distributed data store, as indicated by block 230. In someembodiments, the request may be a read request or write request. In someembodiments, the right request is accompanied with a unit of content,such as a value being displaced with a pointer in the lower-trustdatabase 14 in accordance with the above-described techniques, or adocument being replaced by a pointer in a lower-trust file system inaccordance with the above techniques, which is not to suggest thatdocuments cannot be stored in a database as values in that database orthe any other description herein is limiting. Similarly, and some cases,a read request may be accompanied with a pointer stored in a lower-trustdata store in place of the unit of content and read in accordance withthe above techniques. In some cases, the unit of content to be accessedis referenced with a pointer to a segment that serves in a first segmentin a content graft like that described above, such as a linked list ofsegments where different segments of the unit of content are distributedamong different tamper-evident directed acyclic graphs.

In some embodiments, the process 230 may include aggregating ordisaggregating units of content pertaining to the access request, asindicated by block 234. In some embodiments, this may include thesegmentation operations described above with reference to block 112 orthe joining of segments described above with reference to block 164. InFIGS. 4 and 4 , respectively. Alternatively, or additionally, this mayinclude encryption and separation for storage of cyphertexts fromencryption keys or bringing separately stored encryption keys andcyphertexts together to effectual decryption.

Before or after aggregating or disaggregating (which is not to suggestthat any other step herein is limited to the sequence described in thepresent example) some embodiments may cause logging of the accessrequest in an entry in a tamper-evident log, and logging may be causedwith a computing device participating in aggregating or disaggregatingthe units of content, as indicated by block 236. In some embodiments,logging may be caused by a computing device necessary to make the unitsof content accessible through the aggregating or disaggregating. In someembodiments, logging may be caused by the above-described translator 20,which is not to suggest that the translator 20 is required in allembodiments consistent with all of the present techniques, or that anyother description herein is limiting.

In some cases, causing logging includes selecting one or more of theabove-described directed acyclic graphs, like those discussed withreference to FIG. 5 and stored in the storage compute nodes 26 of FIG.1D. In some cases, causing logging includes sending an instruction toone or more of those directed acyclic graphs (e.g., to a servicemonitoring a network socket and managing the graph responsive to suchinstructions) to store a record describing a logged event in thedirected acyclic graphs, for example, storing the record as a documentin accordance with the techniques described above with reference toFIGS. 2 and 3 , and in some cases fragmenting the record into multiplesegments in accordance with the techniques described above withreference to FIGS. 4 and 5 . Or in some cases, the record may be storedoutside of the tamper-evident log, and a cryptographic hash of therecord and a timestamp of the record may be stored as node content ofone of the above-described tamper-evident directed acyclic graphs havingcryptographic hash pointers as edges. In some embodiments, in virtue ofthese graphs, modifications to records describing log entries may becomputationally infeasible to conceal, as the chain sequence ofcryptographic hash values in the directed acyclic graphs based uponthose records may create an insurmountable computational challenge tocalculate hash collisions along the entire sequence of a path throughthe directed acyclic graph that collides with the values produced by theoriginal unaltered record. (It should be noted that attributes of nodesmay be stored in edges or vice versa.)

In some embodiments, the process 230 includes logging entries thatdescribe a variety of different aspects of the access request. In someembodiments, the entry is documented with a record that includes anidentifier of a user account making the access request, an identifier ofan application, such as a workload application through which the accessrequest was submitted, a content of the access request, such as acommand including content to be written or identifying units of contentto be read. Such records may further include a timestamp, such as a dateor date and time indicating when the access request was received. Therecords in some cases may include a geolocation of a computing devicesubmitting the request. In some embodiments, such records documentingentries in the tamper-evident log may further include identifiers ofcomputing devices through which the access requests were submitted tothe above-describe system, such as MAC addresses, Internet Protocoladdresses, browser fingerprints, hardware fingerprints, or the like.

Some embodiments may store the tamper-evident log in memory, asindicated by block 238, which in some cases may include adding a newentry or modifying an entry in a tamper-evident log already stored inmemory, which may be replicated in multiple instances in accordance withthe techniques described above. This may include forming part of a blockto be added at a later time to such a log, e.g., a blockchain.

Some embodiments of the process 230 may include validating thetamper-evident log, as indicated by 240. Validation may includedetermining whether the tamper-evident log indicates that logged entrieshave been modified after being logged. In some embodiments, thisoperation may include accessing a current log version of an entry andthen calculating a cryptographic hash value based on that current logentry. Some embodiments may then compare that current cryptographic hashvalue to one or more other cryptographic hash values in thetamper-evident log, for example, some embodiments may compare thatcryptographic hash value to a cryptographic hash value stored in anadjacent node in one of the above-described directed acyclic graphs todetermine whether the cryptographic hash values match or, if they do notmatch, indicate that the record was modified. In some embodiments, asequence of cryptographic hash values based upon one another may becalculated to determine which match and identify a path through adirected acyclic graph to a node where the cause of a discrepancyresides. In some embodiments, validation may occur upon each writeoperation, periodically, upon each read operation, or according to someother schedule or event.

Detectability of tampering may deter threat actors from modifying logentries or maliciously accessing data in virtue of the difficulty ofmodifying log entries in a concealable manner. Further, some embodimentsmay fragment log entries in accordance with some of the above-describetechniques, further making modifications difficult, as a heterogeneousset of different computing devices on different networks may need to becompromised to modify each segment even if a threat actor somehow wasable to compromise the mechanisms by which tampering is indicated.

In some embodiments, the process 230 includes determining whether thevalidation operation evinces tampering, as indicated by block 241, forexample indicating a mismatch between cryptographic hash values within adirected acyclic graph. Upon detecting tampering, some embodiments mayemit an alarm, as indicated by 242. In some embodiments, the alarm maybe emitted by sending an email, text message, or chat message. Someembodiments may further proceed to take certain operations to lockeddown portions of a system, for example, disabling credentials, reducinglevels of access associated with credentials, adjusting some of thebelow-described thresholds to decrease an amount of data that may beaccessed before subsequent access is slowed or blocked, or limitingaccess to lower-security data.

In some embodiments, upon determining that there is no evidence oftampering, or after emitting the alarm, some embodiments may proceed todetermine a risk metric based on access requests documented in thetamper-evident log, as indicated by block 244. Risk metrics may take avariety of different forms, and in some cases risk metrics may becalculated for a variety of different entities. For example, differentrisk metrics may be calculated for different users, workloadapplications, computing devices, or combinations thereof. In someembodiments, the risk metric may be an amount of access requestsreceived within a trailing duration of time, a total amount of accessrequests, or combination thereof. In some embodiments, the risk metricis based on deviation from previous patterns of behavior. For example,some embodiments may train a machine learning algorithm, such as ahidden Markov model, recurrent neural network, or the like, based onhistorical log events, to predict the likelihood of various types ofaccess requests (or sequences of such requests), such as to particularunits of content, types of unit of content, amounts of access requests,frequencies of access requests, or the like, for a given user, workloadapplication, computing device, portion of a network, or combinationthereof. Some embodiments may then compare these predictions based on acurrent trailing sequence of logged events with later received accessrequests and determine a risk metric based on the likelihood, forexample, a probability of the given access requests given previousbehavior. Failures of such predictive models may be evidence ofanomalous, malicious behavior. Some embodiments may use this probabilityis a risk metric or determine an aggregate of these probabilities over aplurality of risk metrics, such as a measure of central tendency, like amean, median, or mode of these probabilities over a trailing duration ornumber of access requests.

In another example, the risk metric may be based on the content of unitsof content being written. For example, some embodiments may calculate anentropy of units of content being written and compare that entropy tomeasures of entropy associated with other units of content historicallywritten to the distributed data store, for example, previous databaseentries or documents. In some embodiments, this difference may beindicative of a ransomware attack in which relatively high entropyencrypted versions of data are being written as a current version.(Though it should be noted that some implementations may use animmutable data store in which earlier values remain in place and systemsmay be rolled back to earlier values in the event of such an attack insome embodiments by replacing pointers in lower-trust storage to currentversions to be pointers to last-known good versions.)

Next, some embodiments may determine whether the risk metric exceeds orotherwise satisfies a first threshold, as indicated by block 246.Comparisons to thresholds described herein should not be limited to acomparison that depends upon the sign of the values applied, which isnot to suggest that any other description is limiting. The term“satisfies” is used generally to refer to scenarios in which onethreshold may be satisfied by exceeding (or being equal to in somecases) that threshold and an equivalent threshold in which values arewas multiplied by −1 may be satisfied by being less than (or being equalto in some cases) that threshold, or vice versa. Upon determining thatthe risk metric satisfies the first threshold, some embodiments mayblock subsequent responses to subsequent access requests, as indicatedby block 248. In some cases, blocking may be implemented by thecomputing device participating in aggregating or disaggregating theunits of content discussed above with reference to block 236.

If access is not blocked, some embodiments may compare the risk metricto a second threshold, as indicated by block 250. In some embodiments,the second threshold may be less stringent than the first threshold, forexample, corresponding to lower levels of risk. In some embodiments,upon determining that the risk metric satisfies the second threshold,some embodiments may delay subsequent responses to subsequent accessrequests, as indicated by block 252. In some embodiments, this mayinclude starting a countdown timer and determining when a designatedduration of time has elapsed before aggregating or returning units ofcontent or disaggregating and writing units of content, in some casesfor each unit of content in an access request pertaining to a pluralityof units of content. Thus, some embodiments may implement a softblocking mechanism by which functionality is provided at a certainlevel, while delaying in providing time for a human response in theevent that a scripted attack is occurring. In some embodiments, uponsatisfying the first or second thresholds in block 246 and 250, someembodiments may emit an alarm using techniques like those describedabove to facilitate investigation and, if needed human intervention.Embodiments may then return to wait for the next request to access thedistributed data store in block 232.

Storing Differentials of Files in a Distributed Blockchain

Often, blockchain-based databases are not well suited for storage oflarge, frequently modified collections of data, like files or otherbinary blobs of data. Because of the immutable nature of blockchains,previous entries in a chain (which may represent files or values in adatabase) generally cannot be deleted or overwritten. Thus, each versionof a file can add to the size of a blockchain ledger, and where the fileis stored in the ledger and modified frequently, the size of ablockchain ledger can become too expansive to be efficiently accessed.

To combat the above-noted negative consequences of the immutableproperty of blockchains, some embodiments store only changes(differentials) of files over time, rather than entire copies of a fileat each change.

Some embodiments may receive a write request for a modified file (orother blob of data) and determine whether the data has changed from aprevious version. In some embodiments, upon reading the data initially,hash digest (e.g., a MD5 hash) of the data may be calculated and held inmemory. Upon a write, a new hash may be calculated based on the data tobe re-written to memory, and that hash may be compared to the earlierhash to determine whether the file has changed.

Upon detecting a change, some embodiments may determine a delta betweenan earlier version (e.g., a most recent version) and a current version.In some cases, the database may store a delta of an earlier change, andsome embodiments may iterate through a sequence of deltas to re-create aprevious version of a document or other file. Upon obtaining the mostrecent version, some embodiments may determine a delta with the newversion, e.g., by determining a set of longest common subsequencesbetween the versions and store the resultant diff, e.g., in unifiedformat.

In most cases, it is expected that the resultant diff will be muchsmaller than the new version of the file (or other blob). As such,storing the diff in the blockchain is expected to be lesscomputationally expensive than storing the entire new version. Further,because the file itself is ultimately stored in the blockchain (ratherthan just a hash digest), the system is expected to be more robust tovarious attacks, such as a hash collision attack. In such attacks,malicious content is selected and designed to produce the same hash asstored data, and that malicious data is substituted in the database forthe authentic data. With traditional systems, the blockchain will yielda hash value that validates the malicious content as authentic. Incontrast, some embodiments circumvent this attack vector by storing thedata committed to the database in the blockchain. Further, in contrastto systems that merely store a hash digest of a document in the chain,some embodiments offer increased control of the file (or other BLOB). Inthese older systems that only store a hash digest, the system does nothave no control of the file. Such systems could delete the file from theexternal data-store, and all that would be left with in a chain is thehash digest. That is, such systems can authenticate a file, but theycannot reproduce the file. That said, not all embodiments afford thesebenefits, as various engineering and cost tradeoffs are envisioned, andmultiple independently useful inventions are described, which is not tosuggest that any other description is limiting.

In some embodiments, the above techniques may be implemented withprocesses described below with reference to FIGS. 10 and 11 that operateupon a data structure described below with reference to FIG. 12 .

As shown in FIG. 10 , some embodiments may include a process 260 thatwrites a difference between a new version of a document and previouslystored versions of a document to a tamper-evident, immutable datarepository, such as a block chain or one of the above-described examplesof directed acyclic graphs having cryptographic hash pointers. In someembodiments, the process 260 may be executed by the above-describedsecurity driver 30 in conjunction with the above-described translators20 or by other components, for example, based on a gateway on a networkresiding between network storage or a database and a client computingdevice. In some embodiments, the process 260 may be executed by aclient-side application that wraps or otherwise interfaces between aclient-side workload application and a database driver or a filesystemdriver, for example, a file system driver executing in the sameoperating system as the workload application and the process performingthe operations of FIGS. 10 and 11 .

In some embodiments, a filesystem of a local computing device includes ahierarchy of directories having files arranged therein, for example,binary large objects with various examples of metadata, like file names,creation dates, modification dates, authors, permissions to access, andthe like. In some embodiments, these directories may be localdirectories stored on the computing device executing a workloadapplication or on a remote network attached storage device. In someembodiments, some of the files in the directories may be replaced withtext files having computer readable pointers to, for example, documentsstored with techniques like those described above, and some embodimentsmay intercept (e.g., receive directly, pass through, observe uponfiltering, etc.) read or write access requests by a filesystem explorerapplication to a filesystem driver and detect these pointers disposed inthe directories in place of the documents. Some embodiments may then, inresponse, effectuate the corresponding operations on documents stored ina tamper-evident, immutable data repository, like those described aboveor other types of remote storage. In some cases, this may includecreating new versions, updating pointers stored in the directory, andvarious other operations. Further, these techniques may similarly beapplied to database read and write operations, for example, storingdifferences between previously stored values and databases that arerelatively large and new versions of those values in databases.

In some embodiments, the process 260 includes receiving a request towrite a new version of a document to a tamper-evident, immutable datarepository, as indicated by block 262. In some embodiments, thisoperation may be performed by the above-described security driver orother client-site arbiters, for example, with the process of FIG. 8 . Insome embodiments, the request may include a designation of the documentas higher security and a pointer to a previous version of the documentstored in the client-side computer accessible directory or database. Forexample, the user may have previously read the previous version intolocal memory of the client computing device workload application,transformed the previous version, and then requested to store the newversion, causing the request to be received in the operation of block162.

Next, some embodiments may determine that the new version of thedocument is different from the previous version of the document, asindicated by block 264. In some embodiments, this may be performed byretrieving the previous versions from the tamper-evident, immutable datarepository, for example, with a read process like that described belowwith reference to FIG. 11 . Or some embodiments may expedite thisdetermination by storing outside of the tamper-evident, immutable datarepository, an index that associates pointers to documents with hashdigests of those documents. In some embodiments, the hash digest is acryptographic hash value based upon the content of the document, or anon-cryptographic hash value based upon the content of the document. Itshould be noted, that not all hash functions are cryptographic hashfunctions having the attributes described above is being exhibited bysuch functions. In some cases, non-cryptographic hash functions may befaster to compute than cryptographic hash functions, or embodiments mayuse cryptographic hash functions to enhance security. Accordingly, someembodiments may make the determination of block 264 without retrievingthe previous version of the document from the tamper-evident, immutabledata repository, for example, by calculating a new hash digest based onthe new version and comparing that new hash digest to a previouslycalculated hash digest of the previous version stored outside thetamper-evident, immutable data repository, for example, in associationwith a pointer to that previous version in an index. Upon determiningthat the hash values match, some embodiments, may terminate the process260, as the previous version may be determined to be the same as the newversion.

Alternatively, upon determining that the new version of the document isdifferent from the previous version of the document, some embodimentsmay proceed to obtain the previous version of the document from thetamper-evident, immutable data repository, as indicated by block 266. Insome embodiments, this may include retrieving the previous version withread operations, for example, like those described with reference toFIG. 11 , which in some cases may engage the processes described abovewith reference to FIGS. 2, 5, 6, and 7 .

Next, some embodiments may determine a set of changes required totransform the previous version into the new version of the document, asindicated by block 268. In some embodiments, this operation may berelatively computationally expensive and include determining a longestmatching sub string between the two documents in the course ofdetermining a minimum set of changes required to transform the previousversion into the new version. In some cases, these changes may belimited to deletions, appending text (e.g., prepending or postpending),and changing values of existing text. In some embodiments, thedetermination may be made with a diff operation in which the previousversion and the new version are input into a diff function, which mayreturn the set of changes. In some embodiments, the changes may beimplemented with the Hunt-McIlroy algorithm, as described in a papertitled AN ALGORITHM FOR DIFFERENTIAL FILE COMPARISON by Hunt andMcIlroy, Bell Laboratories Computing science technical report, 1976, thecontents of which are hereby incorporated by reference.

In some cases, to expedite comparisons, each line of the two documentsmay be transformed into a hash digest of that line that is relativelyfast to operate upon, for example, converting each line with a hashfunction into a 64 bit or shorter, such as a 32 bit or shorter or 16 bitor shorter hash digest of the content of that respective line. Thus,each of the two documents may be transformed into an ordered list ofhash digests, and some embodiments may then compare the two ordered listof hash digest to identify sequences of text that are likely to have notchanged between the two versions. For example, some embodiments mayidentify a number of lines at a beginning and an end of the list wherethere are no changes. Upon detecting a line at which changes begin, someembodiments may then search forward in one list until a match is found,thereby potentially detecting insertions.

Some embodiments may then store the set of changes in thetamper-evident, immutable data repository, as indicated by block 270. Insome cases, this may include performing the operations of FIG. 2 on thedata structure of FIG. 3 to store a document, or segmenting the documentin accordance with the techniques described above with reference toFIGS. 5 and 6 and storing the document in that manner.

Some embodiments may further include storing a pointer to the previousversion of the document in association with the set of changes, asindicated by block 272. In some embodiments, the pointer to the previousversion of the document may be stored in the tamper-evident immutabledata repository as metadata to the set of changes, thereby forming anode and edge of a version graph, like that described below withreference to FIG. 12 . In some embodiments, documents may be encoded asa linked list of sets of changes with pointers between the sets ofchanges tracing back to an initial version of the document, for example,in the above-described data structures, and documents may be retrievedby retrieving each of the sets of changes and then iteratively applyingthem, as described in greater detail below with reference to FIG. 11 .

In some embodiments, an updated pointer to the newly stored set ofchanges from block 270 may be stored in the file system (or databasecell) in place of the previous pointer submitted with the request towrite the new version in block 262. Thus, a subsequent read request forthat file may identify that new pointer and retrieve the new set ofchanges and then trace back to the initial version through the previousversion, as described in greater detail below with reference to FIG. 11. Similar operations, like those described above, may be performed on avalue stored in a database, replacing a pointer in a database cell toreference the new version.

In some embodiments, version graphs may branch. For example a user mayrequest to write to a previous version of a document or to write to newversions to a previous version of the document, thereby forming parallelchange of a version graph that share a subset of their version historywith one another but then branch a part later in the version graph. Thisis expected to further compress data and increase the amount ofdocuments that can be stored in a given amount of storage in atamper-evident, immutable data repository.

FIG. 11 shows an example of a process 280 to read a document, or otherunit of content, from a tamper-evident, immutable data repositorystoring version graphs of documents as sequences of differences betweenversions of documents tracing back to initial version. In someembodiments, the process 280 may be performed in the course of obtainingthe previous version of the document in block 266 of FIG. 10 , or uponreceiving a request by workload application to access a stored document,for example, upon intercepting a request to a file system driver toaccess a document replaced with a pointer to a document stored in one ofthe above-describe data structures.

In some embodiments, the process 280 includes receiving a read requestidentifying a pointer to a most recent version of a document in atamper-evident, immutable data repository, as indicated by block 282. Insome cases, the pointer may be to a previous version, for example, upona user requesting to roll back to a previous version. In someembodiments, the read request may be intercepted with the techniquesdescribed above by which write requests are intercepted.

Next, some embodiments may read the version located by the currentpointer, as indicated by block 284, for example by performing the readoperations described above by which documents are retrieved in the datastructures of FIG. 3 or FIG. 5 , or other database entries are received.

Some embodiments may then determine whether the red version is theinitial version of the document or other unit of content, as indicatedby block 286. In some cases, an initial versions may be explicitlyflagged as such when stored, or initial versions may be implicitlydesignated as such in virtue of lacking a pointer to an earlier version.As noted above, pointers may be stored in association with subsequentversions, as discussed in reference to block 272.

Upon determining that the version retrieved was not the initial version,some embodiments may designate a pointer associated with the retrievedversion, for example, stored as metadata of the retrieved version in thetamper-evident, immutable data repository, as the current pointer, asindicated by block 288.

Next, some embodiments may add a set of changes associated with theretrieved version, for example, stored at a location or sequence oflocations in the tamper-evident, immutable data repository identified bythe current pointer, to a last in first out buffer, as indicated byblock 290. In some cases, the buffer may be characterized as a stack.Some embodiments may then return to block 284 to read the next earlierversion located by the updated current pointer in block 284.

Upon encountering an initial version in block 286, some embodiments mayproceed to block 292 and initialize a copy of the document to theinitial version, for example, setting a working copy of the document tobe equal to the initial version that was retrieved. Some embodiments maythen determine whether there are more changes in the buffer to process,indicated as indicated by block 294. In some cases, some embodiments maydetermine whether the buffer is empty or there are more values, that issets of changes, stacked in the buffer.

Some embodiments may, upon determining that there are more changes,retrieve a next set of changes from the buffer, as indicated by block296, in some cases this may include deleting that next set of changesfrom the buffer to update the buffer to reflect the next set of changesare to be applied. In some cases, this may be characterized as popping aset of changes from a stack.

Next, some embodiments may apply the next set of changes to the currentworking copy of the document, as indicated by block 298. In some cases,this may include accessing a set of deletion operations, changeoperations, and append operations. In some embodiments, these changesmay each be associated with a line number to which the change is to beapplied, a sequence with which the change is to be applied, and acontent in some cases to be applied, for example indicating replacementtext or appended text (or bits).

Some embodiments may then return to block 294 to determine whether theremore changes in the buffer. Upon reaching the end of the buffer, forexample, the bottom of the stack, some embodiments may proceed to block300 and return the copy of the document. In some cases, the copy of thedocument may be returned to a workload application configured to accessthe document, for example, based on a file system extension mapped inthe operating system to a particular workload application. In someembodiments, the read operation may be transparent to a user, and mayappear to the user as if the user is operating on a locally stored ornetwork stored copy of a document, with the user experience beingidentical or substantially identical to that experienced by a user whois not interfacing with the above-described secure distributed storage16, thereby providing higher security without imposing on users or insome cases requiring retrofits of workload applications that can beexpensive. (That said, embodiments are not limited to systems affordingthese benefits, which is not to suggest that other descriptions arelimiting.)

In some embodiments, the processes of FIGS. 10 and 11 may produce a datastructure 310 like that shown in FIG. 12 . In some embodiments, the datastructure 310 may include the verification graphs described above withreference the data structure 130 of FIG. 5 , along with the contentgraph 138 described above with reference to FIG. 5 . In this example,the content graph 138 may be a most recent stored version of a document,which may be a set of changes from an earlier version. In someembodiments, the earlier version may, for example, be an initial versionof a document, stored in another content graph 314 shown in FIG. 12 .Content graph 314 may, like content graph 138 include a sequence ofcontent nodes, such as segments, connected by pointers between thesegments, by which an initial version of a document or a set of changesassociated with a given version may be assembled during a readoperation. In some embodiments, thus, the data structure 310 may store athird overlaid graph, which may be a version graph 312. In this example,version graph 312 includes an edge 316, which may be a pointer from themost current version stored in content graph 238 to an earlier, initialversion stored in content graph 314. In some embodiments, the pointer tomay be to an initial segment of the content graph storing the earlierversion.

FIG. 13 is a diagram that illustrates an exemplary computing system 1000in accordance with embodiments of the present technique. Variousportions of systems and methods described herein, may include or beexecuted on one or more computer systems similar to computing system1000. Further, processes and modules described herein may be executed byone or more processing systems similar to that of computing system 1000.

Computing system 1000 may include one or more processors (e.g.,processors 1010 a-1010 n) coupled to system memory 1020, an input/outputI/O device interface 1030, and a network interface 1040 via aninput/output (I/O) interface 1050. A processor may include a singleprocessor or a plurality of processors (e.g., distributed processors). Aprocessor may be any suitable processor capable of executing orotherwise performing instructions. A processor may include a centralprocessing unit (CPU) that carries out program instructions to performthe arithmetical, logical, and input/output operations of computingsystem 1000. A processor may execute code (e.g., processor firmware, aprotocol stack, a database management system, an operating system, or acombination thereof) that creates an execution environment for programinstructions. A processor may include a programmable processor. Aprocessor may include general or special purpose microprocessors. Aprocessor may receive instructions and data from a memory (e.g., systemmemory 1020). Computing system 1000 may be a uni-processor systemincluding one processor (e.g., processor 1010 a), or a multi-processorsystem including any number of suitable processors (e.g., 1010 a-1010n). Multiple processors may be employed to provide for parallel orsequential execution of one or more portions of the techniques describedherein. Processes, such as logic flows, described herein may beperformed by one or more programmable processors executing one or morecomputer programs to perform functions by operating on input data andgenerating corresponding output. Processes described herein may beperformed by, and apparatus can also be implemented as, special purposelogic circuitry, e.g., an FPGA (field programmable gate array) or anASIC (application specific integrated circuit). Computing system 1000may include a plurality of computing devices (e.g., distributed computersystems) to implement various processing functions.

I/O device interface 1030 may provide an interface for connection of oneor more I/O devices 1060 to computer system 1000. I/O devices mayinclude devices that receive input (e.g., from a user) or outputinformation (e.g., to a user). I/O devices 1060 may include, forexample, graphical user interface presented on displays (e.g., a cathoderay tube (CRT) or liquid crystal display (LCD) monitor), pointingdevices (e.g., a computer mouse or trackball), keyboards, keypads,touchpads, scanning devices, voice recognition devices, gesturerecognition devices, printers, audio speakers, microphones, cameras, orthe like. I/O devices 1060 may be connected to computer system 1000through a wired or wireless connection. I/O devices 1060 may beconnected to computer system 1000 from a remote location. I/O devices1060 located on remote computer system, for example, may be connected tocomputer system 1000 via a network and network interface 1040.

Network interface 1040 may include a network adapter that provides forconnection of computer system 1000 to a network. Network interface may1040 may facilitate data exchange between computer system 1000 and otherdevices connected to the network. Network interface 1040 may supportwired or wireless communication. The network may include an electroniccommunication network, such as the Internet, a local area network (LAN),a wide area network (WAN), a cellular communications network, or thelike.

System memory 1020 may be configured to store program instructions 1100or data 1110. Program instructions 1100 may be executable by a processor(e.g., one or more of processors 1010 a-1010 n) to implement one or moreembodiments of the present techniques. Instructions 1100 may includemodules of computer program instructions for implementing one or moretechniques described herein with regard to various processing modules.Program instructions may include a computer program (which in certainforms is known as a program, software, software application, script, orcode). A computer program may be written in a programming language,including compiled or interpreted languages, or declarative orprocedural languages. A computer program may include a unit suitable foruse in a computing environment, including as a stand-alone program, amodule, a component, or a subroutine. A computer program may or may notcorrespond to a file in a file system. A program may be stored in aportion of a file that holds other programs or data (e.g., one or morescripts stored in a markup language document), in a single filededicated to the program in question, or in multiple coordinated files(e.g., files that store one or more modules, sub programs, or portionsof code). A computer program may be deployed to be executed on one ormore computer processors located locally at one site or distributedacross multiple remote sites and interconnected by a communicationnetwork.

System memory 1020 may include a tangible program carrier having programinstructions stored thereon. A tangible program carrier may include anon-transitory computer readable storage medium. A non-transitorycomputer readable storage medium may include a machine readable storagedevice, a machine readable storage substrate, a memory device, or anycombination thereof. Non-transitory computer readable storage medium mayinclude non-volatile memory (e.g., flash memory, ROM, PROM, EPROM,EEPROM memory), volatile memory (e.g., random access memory (RAM),static random access memory (SRAM), synchronous dynamic RAM (SDRAM)),bulk storage memory (e.g., CD-ROM and/or DVD-ROM, hard-drives), or thelike. System memory 1020 may include a non-transitory computer readablestorage medium that may have program instructions stored thereon thatare executable by a computer processor (e.g., one or more of processors1010 a-1010 n) to cause the subject matter and the functional operationsdescribed herein. A memory (e.g., system memory 1020) may include asingle memory device and/or a plurality of memory devices (e.g.,distributed memory devices). Instructions or other program code toprovide the functionality described herein may be stored on a tangible,non-transitory computer readable media. In some cases, the entire set ofinstructions may be stored concurrently on the media, or in some cases,different parts of the instructions may be stored on the same media atdifferent times.

I/O interface 1050 may be configured to coordinate I/O traffic betweenprocessors 1010 a-1010 n, system memory 1020, network interface 1040,I/O devices 1060, and/or other peripheral devices. I/O interface 1050may perform protocol, timing, or other data transformations to convertdata signals from one component (e.g., system memory 1020) into a formatsuitable for use by another component (e.g., processors 1010 a-1010 n).I/O interface 1050 may include support for devices attached throughvarious types of peripheral buses, such as a variant of the PeripheralComponent Interconnect (PCI) bus standard or the Universal Serial Bus(USB) standard.

Embodiments of the techniques described herein may be implemented usinga single instance of computer system 1000 or multiple computer systems1000 configured to host different portions or instances of embodiments.Multiple computer systems 1000 may provide for parallel or sequentialprocessing/execution of one or more portions of the techniques describedherein.

Those skilled in the art will appreciate that computer system 1000 ismerely illustrative and is not intended to limit the scope of thetechniques described herein. Computer system 1000 may include anycombination of devices or software that may perform or otherwise providefor the performance of the techniques described herein. For example,computer system 1000 may include or be a combination of acloud-computing system, a data center, a server rack, a server, avirtual server, a desktop computer, a laptop computer, a tabletcomputer, a server device, a client device, a mobile telephone, apersonal digital assistant (PDA), a mobile audio or video player, a gameconsole, a vehicle-mounted computer, or a Global Positioning System(GPS), or the like. Computer system 1000 may also be connected to otherdevices that are not illustrated, or may operate as a stand-alonesystem. In addition, the functionality provided by the illustratedcomponents may in some embodiments be combined in fewer components ordistributed in additional components. Similarly, in some embodiments,the functionality of some of the illustrated components may not beprovided or other additional functionality may be available.

Those skilled in the art will also appreciate that while various itemsare illustrated as being stored in memory or on storage while beingused, these items or portions of them may be transferred between memoryand other storage devices for purposes of memory management and dataintegrity. Alternatively, in other embodiments some or all of thesoftware components may execute in memory on another device andcommunicate with the illustrated computer system via inter-computercommunication. Some or all of the system components or data structuresmay also be stored (e.g., as instructions or structured data) on acomputer-accessible medium or a portable article to be read by anappropriate drive, various examples of which are described above. Insome embodiments, instructions stored on a computer-accessible mediumseparate from computer system 1000 may be transmitted to computer system1000 via transmission media or signals such as electrical,electromagnetic, or digital signals, conveyed via a communication mediumsuch as a network or a wireless link. Various embodiments may furtherinclude receiving, sending, or storing instructions or data implementedin accordance with the foregoing description upon a computer-accessiblemedium. Accordingly, the present techniques may be practiced with othercomputer system configurations.

In block diagrams, illustrated components are depicted as discretefunctional blocks, but embodiments are not limited to systems in whichthe functionality described herein is organized as illustrated. Thefunctionality provided by each of the components may be provided bysoftware or hardware modules that are differently organized than ispresently depicted, for example such software or hardware may beintermingled, conjoined, replicated, broken up, distributed (e.g. withina data center or geographically), or otherwise differently organized.The functionality described herein may be provided by one or moreprocessors of one or more computers executing code stored on a tangible,non-transitory, machine readable medium. In some cases, notwithstandinguse of the singular term “medium,” the instructions may be distributedon different storage devices associated with different computingdevices, for instance, with each computing device having a differentsubset of the instructions, an implementation consistent with usage ofthe singular term “medium” herein. In some cases, third party contentdelivery networks may host some or all of the information conveyed overnetworks, in which case, to the extent information (e.g., content) issaid to be supplied or otherwise provided, the information may providedby sending instructions to retrieve that information from a contentdelivery network.

The reader should appreciate that the present application describesseveral independently useful techniques. Rather than separating thosetechniques into multiple isolated patent applications, applicants havegrouped these techniques into a single document because their relatedsubject matter lends itself to economies in the application process. Butthe distinct advantages and aspects of such techniques should not beconflated. In some cases, embodiments address all of the deficienciesnoted herein, but it should be understood that the techniques areindependently useful, and some embodiments address only a subset of suchproblems or offer other, unmentioned benefits that will be apparent tothose of skill in the art reviewing the present disclosure. Due to costsconstraints, some techniques disclosed herein may not be presentlyclaimed and may be claimed in later filings, such as continuationapplications or by amending the present claims. Similarly, due to spaceconstraints, neither the Abstract nor the Summary of the Inventionsections of the present document should be taken as containing acomprehensive listing of all such techniques or all aspects of suchtechniques.

It should be understood that the description and the drawings are notintended to limit the present techniques to the particular formdisclosed, but to the contrary, the intention is to cover allmodifications, equivalents, and alternatives falling within the spiritand scope of the present techniques as defined by the appended claims.Further modifications and alternative embodiments of various aspects ofthe techniques will be apparent to those skilled in the art in view ofthis description. Accordingly, this description and the drawings are tobe construed as illustrative only and are for the purpose of teachingthose skilled in the art the general manner of carrying out the presenttechniques. It is to be understood that the forms of the presenttechniques shown and described herein are to be taken as examples ofembodiments. Elements and materials may be substituted for thoseillustrated and described herein, parts and processes may be reversed oromitted, and certain features of the present techniques may be utilizedindependently, all as would be apparent to one skilled in the art afterhaving the benefit of this description of the present techniques.Changes may be made in the elements described herein without departingfrom the spirit and scope of the present techniques as described in thefollowing claims. Headings used herein are for organizational purposesonly and are not meant to be used to limit the scope of the description.

As used throughout this application, the word “may” is used in apermissive sense (i.e., meaning having the potential to), rather thanthe mandatory sense (i.e., meaning must). The words “include”,“including”, and “includes” and the like mean including, but not limitedto. As used throughout this application, the singular forms “a,” “an,”and “the” include plural referents unless the content explicitlyindicates otherwise. Thus, for example, reference to “an element” or “aelement” includes a combination of two or more elements, notwithstandinguse of other terms and phrases for one or more elements, such as “one ormore.” The term “or” is, unless indicated otherwise, non-exclusive,i.e., encompassing both “and” and “or.” Terms describing conditionalrelationships, e.g., “in response to X, Y,” “upon X, Y,”, “if X, Y,”“when X, Y,” and the like, encompass causal relationships in which theantecedent is a necessary causal condition, the antecedent is asufficient causal condition, or the antecedent is a contributory causalcondition of the consequent, e.g., “state X occurs upon condition Yobtaining” is generic to “X occurs solely upon Y” and “X occurs upon Yand Z.” Such conditional relationships are not limited to consequencesthat instantly follow the antecedent obtaining, as some consequences maybe delayed, and in conditional statements, antecedents are connected totheir consequents, e.g., the antecedent is relevant to the likelihood ofthe consequent occurring. Statements in which a plurality of attributesor functions are mapped to a plurality of objects (e.g., one or moreprocessors performing steps A, B, C, and D) encompasses both all suchattributes or functions being mapped to all such objects and subsets ofthe attributes or functions being mapped to subsets of the attributes orfunctions (e.g., both all processors each performing steps A-D, and acase in which processor 1 performs step A, processor 2 performs step Band part of step C, and processor 3 performs part of step C and step D),unless otherwise indicated. Similarly, reference to “a computer system”performing step A and “the computer system” performing step B caninclude the same computing device within the computer system performingboth steps or different computing devices within the computer systemperforming steps A and B. Further, unless otherwise indicated,statements that one value or action is “based on” another condition orvalue encompass both instances in which the condition or value is thesole factor and instances in which the condition or value is one factoramong a plurality of factors. Unless otherwise indicated, statementsthat “each” instance of some collection have some property should not beread to exclude cases where some otherwise identical or similar membersof a larger collection do not have the property, i.e., each does notnecessarily mean each and every. Limitations as to sequence of recitedsteps should not be read into the claims unless explicitly specified,e.g., with explicit language like “after performing X, performing Y,” incontrast to statements that might be improperly argued to imply sequencelimitations, like “performing X on items, performing Y on the X'editems,” used for purposes of making claims more readable rather thanspecifying sequence. Statements referring to “at least Z of A, B, andC,” and the like (e.g., “at least Z of A, B, or C”), refer to at least Zof the listed categories (A, B, and C) and do not require at least Zunits in each category. Unless specifically stated otherwise, asapparent from the discussion, it is appreciated that throughout thisspecification discussions utilizing terms such as “processing,”“computing,” “calculating,” “determining” or the like refer to actionsor processes of a specific apparatus, such as a special purpose computeror a similar special purpose electronic processing/computing device.Features described with reference to geometric constructs, like“parallel,” “perpendicular/orthogonal,” “square”, “cylindrical,” and thelike, should be construed as encompassing items that substantiallyembody the properties of the geometric construct, e.g., reference to“parallel” surfaces encompasses substantially parallel surfaces. Thepermitted range of deviation from Platonic ideals of these geometricconstructs is to be determined with reference to ranges in thespecification, and where such ranges are not stated, with reference toindustry norms in the field of use, and where such ranges are notdefined, with reference to industry norms in the field of manufacturingof the designated feature, and where such ranges are not defined,features substantially embodying a geometric construct should beconstrued to include those features within 15% of the definingattributes of that geometric construct. The terms “first”, “second”,“third,” “given” and so on, if used in the claims, are used todistinguish or otherwise identify, and not to show a sequential ornumerical limitation. As is the case in ordinary usage in the field,data structures and formats described with reference to uses salient toa human need not be presented in a human-intelligible format toconstitute the described data structure or format, e.g., text need notbe rendered or even encoded in Unicode or ASCII to constitute text;images, maps, and data-visualizations need not be displayed or decodedto constitute images, maps, and data-visualizations, respectively;speech, music, and other audio need not be emitted through a speaker ordecoded to constitute speech, music, or other audio, respectively.Computer implemented instructions, commands, and the like are notlimited to executable code and can be implemented in the form of datathat causes functionality to be invoked, e.g., in the form of argumentsof a function or API call.

In this patent, to the extent any U.S. patents, U.S. patentapplications, or other materials (e.g., articles) have been incorporatedby reference, the text of such materials is only incorporated byreference to the extent that no conflict exists between such materialand the statements and drawings set forth herein. In the event of suchconflict, the text of the present document governs, and terms in thisdocument should not be given a narrower reading in virtue of the way inwhich those terms are used in other materials incorporated by reference.

The present techniques will be better understood with reference to thefollowing enumerated embodiments:

1. A tangible, non-transitory, machine-readable medium storinginstructions that when executed by one or more processors effectuateoperations comprising: accessing, with a processor of an embeddedcomputing device, immutable executable code stored in read-only memoryof the embedded computing device; executing, with the processor of theembedded computing device, instructions of the immutable executable codethat retrieve, from the read-only memory, a network-layer address of atamper-evident, immutable data repository and an application-layeraddress of firmware of the embedded computing device stored in thetamper-evident, immutable data repository; executing, with the processorof the embedded computing device, instructions of the immutableexecutable code that, using the network-layer address and theapplication-layer address, download the firmware of the embeddedcomputing device from the tamper-evident, immutable data repository;executing, with the processor of the embedded computing device,instructions of the immutable executable code that store the downloadedfirmware in re-writeable memory of the embedded computing device; andexecuting, with the processor of the embedded computing device,instructions of the immutable executable code that cause an instructionaddress register of the processor or another processor of the embeddedcomputing device to point to a first address of the firmware in there-writeable memory of the embedded computing device to initiateexecution of the firmware by the processor or another processor of theembedded computing device.2. The medium of embodiment 1, wherein: the tamper-evident, immutabledata repository comprises one or more directed acyclic graphs ofcryptographic hash pointers storing the firmware in one or more nodes ofthe one or more graphs.3. The medium of embodiment 2, the operations comprising: verifying thatthe firmware has not been subject to tampering by computing a hashdigest of the firmware and determining that the hash digest isconsistent with one or more cryptographic hash values of thecryptographic hash pointers of nodes not storing part of the firmware.4. The medium of embodiment 3, wherein: verifying that the firmware hasnot been subject to tampering is performed by the processor of theembedded computing device while executing the instructions of theimmutable executable code.5. The medium of embodiment 1, wherein: execution of a first part of thefirmware begins before downloading a second part of the firmware.6. The medium of embodiment 5, the operations comprising: verifying thatthe first part of the firmware has not been subject to tampering by theprocessor of the embedded computing device while executing theinstructions of the immutable executable code; and after beginning toexecute the first part of the firmware, verifying that the second partof the firmware has not been subject to tampering by the processor ofthe embedded computing device while executing instructions of the firstpart of the firmware.7. The medium of embodiment 1, the operations comprising: incrementing aversion of the firmware to a newer version of the firmware by writing avalue to a write-once memory of the embedded computing device, the writeonce memory being configured to prevent decrementing the version of thefirmware; and determining a location of at least part of the newerversion of the firmware in the tamper-evident, immutable data repositorybased on both the application-layer address and the value written to thewrite-once memory.8. The medium of embodiment 7, wherein: writing the value to thewrite-once memory comprises blowing a fuse among a plurality of fuses ofthe embedded computing device, different fuses in the pluralitycorresponding to different versions of the firmware.9. The medium of embodiment 1, wherein: the embedded computing device isa hardware sub-system of a computing device having a plurality ofembedded computing devices and a central processing unit and systemmemory that is distinct from memory of the embedded computing device.10. The medium of embodiment 1, wherein the firmware is stored as adocument segmented into different leaf nodes of Merkle trees of blocksof one or more blockchains.11. A tangible, non-transitory, machine-readable medium storinginstructions that when executed by one or more processors effectuateoperations comprising: receiving a request to execute with a computingdevice, or install on the computing device, an untrusted instance ofsub-operating-system (OS)-level executable code stored in re-writeablememory of the computing device; and in response to the request,verifying that the untrusted instance of the sub-OS-level code has notbeen subject to tampering by executing, with the computing device,instructions stored in read-only memory of the computing device to:calculate a first hash digest of the untrusted instance of thesub-OS-level executable code stored in the re-writeable memory of thecomputing device; obtain, from a distributed acyclic graph ofcryptographic hash pointers stored external to the computing device, asecond hash digest of a trusted instance of the sub-OS-level code;determine whether the first hash digest matches the second hash digestand, in response to the determination, determine whether to execute orto install the untrusted instance of the sub-OS-level code or blockexecution or installation of the untrusted instance of the sub-OS-levelcode; and storing a result of the determination of whether to execute orto install the untrusted instance of the sub-OS-level code in memory.12. The medium of embodiment 11, wherein: the request is a request toexecute the sub-OS-level code; and the sub-OS-level code comprises:firmware, microcode, Unified Extensible Firmware Interface (UEFI) code,Basic Input Output System (BIOS) code, or a boot loader; and thecomputing device is a personal computer, a server, a baseboardmanagement controller, a network-interface controller, a hard drivecontroller, a baseband processor, a secure element, or a solid-statedrive controller.13. The medium of embodiment 11, wherein: the computing device is anInternet-of-Things appliance, an industrial process controller, a robot,a drone, an automobile, a set-top-rich media streaming device, a smartspeaker, or a medical device.14. The medium of embodiment 11, wherein: the first hash digest isdetermined to not match the second hash digest and, in response to thedetermination, execution or installation of the untrusted instance ofthe sub-OS-level code is blocked.15. The medium of embodiment 14, the operations comprising: downloading,by executing with the computing device the instructions stored inread-only memory of the computing device, a copy of the trusted instanceof the sub-OS-level code and writing the copy of the trusted instance ofthe sub-OS-level code to the re-writable memory of the computing device.16. The medium of embodiment 15, wherein: the copy of the trustedinstance of the sub-OS-level code is downloaded from the distributedacyclic graph of cryptographic hash pointers or another distributedacyclic graph of cryptographic hash pointers by sending a request to anetwork address specified by the read only memory of the computingdevice.17. The medium of embodiment 17, wherein: the trusted instance of thesub-OS-level code is stored in a plurality of nodes of the distributedacyclic graph of cryptographic hash pointers or another distributedacyclic graph of cryptographic hash pointers.18. The medium of embodiment 18, wherein: the trusted instance of thesub-OS-level code is stored as an initial version and a sequence ofdiffs relative to previous versions in a version graph in a plurality ofnodes of the distributed acyclic graph of cryptographic hash pointers oranother distributed acyclic graph of cryptographic hash pointers.19. The medium of embodiment 11, wherein: a first set of one or moreprocessors of the computing device executes the instructions stored inread-only memory of the computing device to verify the untrustedinstance of the sub-OS-level code; a second set of one or moreprocessors of the computing device that is disjoint from the first setof one or more processors executes the sub-OS-level code afterverification.20. A method, comprising: the operations of any one of embodiments 1-19.21. A system, comprising: one or more processors; and memory storinginstructions that when executed by the one or more processors effectuateoperations comprising: the operations of any one of embodiments 1-19.

What is claimed is:
 1. A method, comprising: obtaining, with an embeddedcomputing device, a request to execute firmware of the embeddedcomputing device; after obtaining the request, with the embeddedcomputing device, determining a first hash value based on code offirmware of the embedded computing device, the at least some of the codeof the firmware being stored in re-writable memory of the embeddedcomputing device; retrieving, with the embedded computing device, fromread-only memory of the embedded computing device, information by whicha network address is identifiable; causing, with the embedded computingdevice, a determination that the first hash value is the same as asecond hash value corresponding to a trusted version of the code of thefirmware, wherein the second hash value or trusted version of the codeof the firmware is rendered tamper-evident by a directed acyclic graphof cryptographic hash pointers accessible, at least in part, via thenetwork address; and in response to the determination, executing thefirmware of the embedded computing device with the embedded computingdevice.